Deny IP spoof event

Unanswered Question
Mar 1st, 2010

Dear Team,

We are continuously receiving following event on Cisco PIX firewall "Deny IP spoof from (0.0.0.0) to x.x.x.x on interface intfx" .

Request you to reply to the following queries:

1. Whether the event specified can be classified as an attack?

2. Whether relevant IPS signatures available for detecting such events in the IPS device?

3. Will these events get triggered without enabling IP verify reverse-path command on the firewall?

Thanks & Regards,

Arun.L

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 03/01/2010 - 08:31

1. It could since this is not a valid ip source

2. There is 1104, but that is only for local-hosts. You can build your custom one as explained here http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_fwIDS.html

3. If you have the IPS signature catch this packets on the IPS then yes, the reverse patch check will not be necessary on the ASA any more.

I hope it helps.

PK

Kureli Sankar Mon, 03/01/2010 - 13:42

You may collect captures and see which mac address is responsible for sending these packets and track it down and see what is wrong with it.

If it is on the inside you have good control over fixing the issue.

cap capin int inside match ip host 0.0.0.0 any

the match command will only work if you are running 7.2.4 and above on this PIX otherwise pls. use access-list to collect captures.

you can refer here:  https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0

This above command will collect a capture file names capin for all packets sourced and destined to ip address 0.0.0.0 on the inside interface.

sh cap capin detail

will give you the mac address.

Then look at the arp table to see which device owns it and see if you can track it down.

-KS

Actions

This Discussion