Example scenario: Someone has gained access to my wireless network. (not plugged in) It is MAC filtered and the user spoofed their MAC address in order to obtain an IP from my router. They already know my MAC address.

Can 2 machines occupy the same Local IP and MAC address in order to trick the router into believing its one machine?

Does the invader even need to worry about the IP if they are already using the same MAC address as a registered user?

Is there a test I could do that would determine if someone were spoofing my local IP and/or MAC address? What would happen if I ping'D the spoofed IP? Which machine would it choose?

Couple of questions that have been bugging me. Don't bother answering if they do not make sense.

i have a question that might be an answer. what happens if you try connecting using a statfull protocol ?

There is a good read over on the Cisco site I came across googling.

http://www.cisco.com/web/about/ac123/ac ... ofing.html

the site does give guides for an enterprise , but what about users ? i mean how will they manage to TRACE THE IP in real time? taking in mind that by the time they discover a spoofed ip packet it might be too late. i think that the article there is more of precautions steps for ISP not, users. and as the author concludes at the end there has to be deep looking into this problem at future which usually means revision. but for the time-being have fun spoofing. and tighten your IDS and FW.

Thanks for the input guys. That read reminded me of something I heard a while back about how packets are read. Kinda cleared some other questions I had too. Thanks again. Have fun spoofing!

Proper policy to secure PC's on the network from unauthorized use should be enacted as a first defense to prevent spoofing on your own subnet, further more, you can secure your ports by using a NAC (Network Access Controller) which some opensource tools exist (such as openNAC) to keep foreign computers on your network on their own subnet to allow for unfettered guest access to the net if it so needed without compromising your businesses workstation computers.

For smaller networks, such devices aren't necessary since you can generally get up and observe the computers in question and/or question their operators as to what they are doing, if indeed unauthorized spoofing is going on over the network. Such things as tracebacks, IDS, and complex firewall systems are only necessary for large establishments where such a task is nigh impossible.

i think a fast method -not reliable- would be to examine the ip ID field in combination with the time the header(s) arrived. i mention the time here coz even though the ip id could be overcome but the interval at which the packets arrive with the same id could be more evidence to that spoofing is going on. example:

host a sends a packet from 10.0.0.2 and 10.0.0.3 and 10.0.0.4. according to the usual scenario every packet id should be incremented by 1 -256- in some cases. but u see them -packets- coming with sequential id numbers. then u can know that this is a spoof. but what about if u use a packet builder tool like -there r plenty- that sends those packets with the same id num. then u will have the thought it is from different machines , THAT'S why i see examine the time too.