Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
1
Replies

Tracking a Spoofed IP

networkguy1038
Level 1
Level 1

‎10-21-2009 06:18 AM - edited ‎03-09-2019 10:39 PM

Hi all,

Currently I am having an issue with a host on the private MPLS network who is attempting to setup connections to random hosts on port 445. This host is using a spoofed IP address to do the work, and it doesn't seem that he is sequentially moving through the IP ranges. I have engaged our service provider to see if they can help track the host over the MPLS.

So far, I have not been able to find a reliable way to find this host. I have a network tool spanning our main MPLS pipe into our Data Center, and I can see that some hosts are attempting to reply, but the spoofed IP is not a routable address on our network. Therefore this host is not replicating itself, but instead just cause alarms to go off and the increase in resources to move these packets through.

Anyone have any ideas on how to track this host to a certain area?

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-21-2009 05:52 PM

Have a ACE rule that matches on the port 445 and have it log.

Send the logs to a syslogs server and monitor those. These logs should point you to that host real time.

I hope it helps.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents