Showing results for 
Search instead for 
Do you mean 
Reply
Guru
Posts: 2,845
Registered: ‎22-05-2012
0

Spoofing protection in Event Log?

Hi all,

 

Any Idea what this means.

 

20:41:50, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:41:46, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)

 

It's been happening since midday today.

 

I have:

1) Turned off all Wifi SSIDs on Homehub and Access points on the network.

2) Disconnect all Access Points and HomePlugs adapters with just the HomeHub connected and isolated (with WiFi disabled) with no devices connected to the homehub.

 

However it still appeared.

 

Thought it might have been a virus or spyware on the Mac so did a anti-virus scan and nothing was found.

 

Here's the Event log:

 

20:49:21, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:49:19, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:41:51, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:41:50, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:41:46, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:40:29, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:38:23, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:36:17, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:35:32, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:35:32, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:34:16, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:33:21, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:33:08, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:02:48, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:01:30, 27 Mar. BLOCKED 2 more packets (because of Spoofing protection)
20:01:30, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
20:01:30, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
20:00:41, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:58:29, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:54:25, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:43:50, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:42:46, 27 Mar. IN: BLOCK [16] Remote administration (ICMP type 8 code 0 183.68.217.131->109.154.165.131 on ppp0)
19:33:22, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:29:09, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:28:05, 27 Mar. IN: BLOCK [16] Remote administration (TCP 125.39.82.250:53734->109.154.165.131:22 on ppp0)
19:20:41, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:18:32, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:10:14, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
19:05:59, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:38:46, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:36:40, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:35:32, 27 Mar. IN: BLOCK [16] Remote administration (TCP 202.114.6.62:7305->109.154.165.131:22 on ppp0)
18:32:23, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:30:48, 27 Mar. OUT: BLOCK [65] First packet is Invalid (TCP 10.183.164.50:60966->173.194.78.188:5228 on ppp0)
18:30:21, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:19:49, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:17:43, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:17:15, 27 Mar. IN: BLOCK [16] Remote administration (TCP 202.91.226.92:1983->109.154.165.131:22 on ppp0)
18:15:40, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:13:28, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
18:12:53, 27 Mar. BLOCKED 2 more packets (because of Spoofing protection)
18:12:52, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:52:29, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:48:16, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:44:08, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:43:54, 27 Mar. BLOCKED 5 more packets (because of First packet is Invalid)
17:43:52, 27 Mar. OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.65:58000->91.208.99.12:80 on ppp0)
17:25:11, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:23:08, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:18:53, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:16:49, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:15:57, 27 Mar. OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.65:57386->92.242.132.15:80 on ppp0)
17:10:36, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
17:08:27, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:49:35, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:48:54, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
16:48:52, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:48:52, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
16:48:51, 27 Mar. BLOCKED 2 more packets (because of Spoofing protection)
16:48:48, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:48:48, 27 Mar. BLOCKED 1 more packets (because of Spoofing protection)
16:48:48, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:47:21, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:46:36, 27 Mar. OUT: BLOCK [65] First packet is Invalid (TCP 192.168.1.65:56390->208.74.205.93:80 on ppp0)
16:45:19, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:43:13, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:40:58, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)
16:39:01, 27 Mar. IN: BLOCK [12] Spoofing protection (IGMP 109.154.165.131->224.0.0.22 on ppp0)

 

Cheers.


jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?

If I'm honest, I've no idea regarding the Spoofing protection events but I get the same since my firmware was updated. I only see this when one of our laptops are connected to the hub via Ethernet and not the normal method of over wifi.

-+-No longer a forum member-+-
Guru
Posts: 2,845
Registered: ‎22-05-2012
0

Re: Spoofing protection in Event Log?

[ Edited ]

Thanks DS.

 

It seems to originate using the HomeHub's current Broadband network IP address (which was 109.154.165.131).

 

I did a restart of the Homehub which changed the Broadband network IP address to a new IP Address however the spoofing event seems to still be happening but now with the new Broadband network IP address instead.

 

It also seems to happen with any device connected to the Homehub (either Wifi or Ethernet) but when I isolated the homehub on it's own with no devices connected and the Wifi disabled it seemed to still happen but not as regularly as it did when devices were connected.

 

Just found it strange as it only happened today.

 

We've had the BTHub3.A firmware Version 4.7.5.1.83.8.94.1.11 (Type A) since 20/12/12.

 

Cheers


jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?


jac_95 wrote:

Thanks DS.

 

It seems to originate using the HomeHub's current Broadband network IP address (which was 109.154.165.131).

 

It will do.

 

I did a restart of the Homehub which changed the Broadband network IP address to a new IP Address however the spoofing event seems to still be happening but now with the new Broadband network IP address instead.

 

Again, it will do.

 

It also seems to happen with any device connected to the Homehub (either Wifi or Ethernet) but when I isolated the homehub on it's own with no devices connected and the Wifi disabled it seemed to still happen but not as regularly as it did when devices were connected.

 

I'll double check, but being as I've been looking at the event log for a long time now I'm sure mine is only on either laptop when either is connected by ethernet. My gut feeling was the hub is seeing the device over ethernet and was seeing it over wifi, then the hub gets itself in a muddle and assumes the device has been spoofed, thus the event. When I get a spare few mins, I'll delete one of them (wifi) from the hub and see if the events continue.

 

Just found it strange as it only happened today.

 

As I said before, mine has only happened after the firmware update - I was one of the first to get the hub 3 when it was first released and have had several since.

 

We've had the BTHub3.A firmware Version 4.7.5.1.83.8.94.1.11 (Type A) since 20/12/12.

 

Mine's currently - Version 4.7.5.1.83.8.94.1.11 (Type A) updated 31/01/13, but this one is yet another replacement, hence why it's on showing the update since January

 

Cheers


 

-+-No longer a forum member-+-
Guru
Posts: 2,845
Registered: ‎22-05-2012
0

Re: Spoofing protection in Event Log?

okay thanks DS.

 

Could be due to me adding a belkin router set up as an access point so I could work outside.

 

Cheers


jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?

It could be.....Smiley Indifferent

 

Anyway, deleted this laptop's wifi connection on the hub and the spoofing events continue.

 

I'll drop back to wifi and see if the spoofing events stop.

-+-No longer a forum member-+-
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?

Well, I timed this well.....Smiley Mad

 

Having dropped back to wifi, the event log did give 2 more spoofing events.

Deleted the laptop's ethernet connection from the hub (as I would do) and the events have, at the time of posting, stopped.

 

So I wonder if you went on wifi only would the spoofing events stop for you too?

 

(regarding the timing - No idea why 61.236.64.56 would want to gain access to my network, but the hub blocked itSmiley Happy

-+-No longer a forum member-+-
Guru
Posts: 2,845
Registered: ‎22-05-2012
0

Re: Spoofing protection in Event Log?

[ Edited ]

Thanks again DS.

 

Will try using just the Wireless settings on it's own and will disconnect and delete the ethernet devices from the homehub tomorrow to see if it makes any difference.

 

It seems to have stopped at the moment, however there seems to be a few Remote Managements connections in the last hour or so instead.

 

Haha I make 61.236.64.56 as CRNET CHINA RAILWAY Internet Smiley Frustrated

 

Diolch (thanks) Smiley Happy

 

 


jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?


jac_95 wrote:

Thanks again DS.

 

Will try using just the Wireless settings on it's own and will disconnect and delete the ethernet devices from the homehub tomorrow to see if it makes any difference.

 

It seems to have stopped at the moment, however there seems to be a few Remote Managements connections in the last hour or so instead.

 

Haha I make 61.236.64.56 as CRNET CHINA RAILWAY Internet Smiley Frustrated

 

Diolch (thanks) Smiley Happy

 

 


No problemSmiley Happy

 

Is it in the form of:

IN: BLOCK [16] Remote administration (TCP 61.236.64.56:58467->your current IP Address:22 on ppp0)

and

IN: BLOCK [16] Remote administration (TCP 89.165.3.186:22261->your current IP Address:22 on ppp0)

-+-No longer a forum member-+-
Distinguished Guru
Posts: 7,684
Registered: ‎27-01-2010
0

Re: Spoofing protection in Event Log?

Ah, you've already answered that in a post aboveSmiley Sad

 

19:28:05, 27 Mar. IN: BLOCK [16] Remote administration (TCP 125.39.82.250:53734->109.154.165.131:22 on ppp0)

-+-No longer a forum member-+-