Deny IP spoof event

arun_laksh · ‎03-01-2010

Dear Team,

We are continuously receiving following event on Cisco PIX firewall "Deny IP spoof from (0.0.0.0) to x.x.x.x on interface intfx" .

Request you to reply to the following queries:

1. Whether the event specified can be classified as an attack?

2. Whether relevant IPS signatures available for detecting such events in the IPS device?

3. Will these events get triggered without enabling IP verify reverse-path command on the firewall?

Thanks & Regards,

Arun.L

Panos Kampanakis · ‎03-01-2010

1. It could since this is not a valid ip source

2. There is 1104, but that is only for local-hosts. You can build your custom one as explained here http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_fwIDS.html

3. If you have the IPS signature catch this packets on the IPS then yes, the reverse patch check will not be necessary on the ASA any more.

I hope it helps.

PK

Kureli Sankar · ‎03-01-2010

You may collect captures and see which mac address is responsible for sending these packets and track it down and see what is wrong with it.

If it is on the inside you have good control over fixing the issue.

cap capin int inside match ip host 0.0.0.0 any

the match command will only work if you are running 7.2.4 and above on this PIX otherwise pls. use access-list to collect captures.

This above command will collect a capture file names capin for all packets sourced and destined to ip address 0.0.0.0 on the inside interface.

sh cap capin detail

will give you the mac address.

Then look at the arp table to see which device owns it and see if you can track it down.

-KS