Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
3
Replies

IP Spoofing messages on PIX

m.yamaguchi
Level 1
Level 1

‎03-07-2007 12:18 PM - edited ‎03-11-2019 02:43 AM

Hi ALL,

We have a PIX device where it are suffering some strange behavior. In the PIX device, we receive large amount of Deny IP spoof messages like this:

%PIX-2-106016: Deny IP spoof from ("Internet IP Address") to 0.0.0.0 on interface DMZ1

The "destination" IP address is always "0.0.0.0" and, as showed in the data info collected from our sniffer and illustrated in the topology, in all cases it is a "SYN" packet and it "seems" that this packet is originating from Local Director devices because through the sniffer we always have seen this packet going from the Local Director toward the PIX device.

We have at least 10 different Internet IP address with the same message ("Deny IP spoof") on the PIX device.

Anyone already suffer this kind of behavior?.

Thanks,

Marcelo

Labels:
Preview file
46 KB
0 Helpful
3 Replies 3

vitripat
Level 7
Level 7

‎03-07-2007 03:18 PM

PIX is doing its job by denying the spoofed packets. What you need to do is track this down.

Under attack issues, the best policy is always to move as close to source as possible. Now that you have already tracked that:

- PIX is recieving and denying the attack

- Attack packets are SYN packets

- they are various IP addresses

- packets are coming through the Local Director

Next step would be to move onto the Local Director and find what is the next device and how can we prevent these packets on the next device.

Regards,

Vibhor.

0 Helpful

m.yamaguchi
Level 1
Level 1
In response to vitripat

‎03-08-2007 10:56 AM

Hi Vibhor,

Ok, thanks for the notes that you provided.

As showed in the topology, behind the Local Director we do not see this type of traffic with sniffer attached in that segment and one more info about that traffic behavior is about the MAC, for both source and destination, is the same of that PIX DMZ1 interface.

Thanks,

Marcelo

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to m.yamaguchi

‎03-08-2007 12:04 PM

haha..a smart spoofer at least he has done his google search well...

Anyways I assume that this syn packet is a fabricated packet, that means i can use 200 free utilities, at least that i know of,klcconsulting.net has designed a SMAC spoofer..works well for all packets from windows clients to spoof the mac address of any device and make it the MAC address of those spoofed packets hitting the firewall

Therefore its not surprising at all to see the MAC address of DMZ Interface for that packet

You might like to read these one fine sunday morning..:-)

http://www.xs4all.nl/~rmeijer/spoofing.html

http://archives.neohapsis.com/archives/incidents/2002-11/0030.html

My Suggestions :-

1)Why dont you disconnet the Local director for few minutes or time being or else isolate the Pix interface where you are getting hit by these spoofed packets and see if you still notice this crappy traffic in the logs ?

This way we can at least isolate and narrow down the issue and then can further proceed ahead...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card