Spoofing

Unanswered Question
Nov 17th, 2008
User Badges:

Hi,


We have installed ASA 5505 in production and getting huge following logs:

(106016) Deny IP spoof from(1.1.1.1) to 2.2.2.2 on interface outside


1.1.1.1 ----Outside Interface IP

2.2.2.2 ----Its a Internal Machine Public IP which is static using in static nat for internal machine.


Please advice, its an attack and what action need to be taken. Ray


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ray_stone Wed, 11/19/2008 - 05:51
User Badges:

Can anyone respond on this as we are getting same huge logs so I wud request to all experts kindly advice me what to do with it as our production services are being affected. Please advice on priority basis. Thanks Ray

John Blakley Wed, 11/19/2008 - 07:16
User Badges:
  • Purple, 4500 points or more

What does your topology look like? It would be much easier to answer I think.


--John

John Blakley Wed, 11/19/2008 - 07:42
User Badges:
  • Purple, 4500 points or more

Per Cisco:


Explanation


This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:


*


Loopback network (127.0.0.0)

*


Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

*


The destination host (land.c)


In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.



*Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.



HTH,


--John

Actions

This Discussion