PIX syslog 106016 - Deny IP spoof

Unanswered Question
Aug 25th, 2003
User Badges:

Has anyone come across this message and how did you remedy? We got it for the first time this morning and it is always source 127.0.0.1 to a random IP on our public space.. Thx for any help...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tvanginneken Mon, 08/25/2003 - 07:45
User Badges:
  • Silver, 250 points or more

Hi,


this message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid sources addresses are those addresses belonging to the following:


Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)


Try putting a sniffer in front of the pix and look for packets coming from 127.0.0.1. If you see that kind of packets, try to determine the MAC address of the packets. Using the MAC address you can determine the pc that is sending the packets.


Regards,

Tom

fbtech Thu, 09/18/2003 - 12:29
User Badges:

I am getting the same messages from my PIX since the weekend.


I have captured packets and find the MAC address points to our boarder router.


Looking at the packet, will the MAC address match the last layer three device it crosses?

l.mourits Fri, 09/19/2003 - 08:26
User Badges:
  • Silver, 250 points or more

Yes, this is correct, the MAC-address you will see when using a sniffer is the MAC-address of the last layer-3 device the IP-packet passes. Since this is your border router, it seems that your border router is passing traffic that uses the loopback address as source address 127.0.0.1


The one sending the packet obviously resides behing your router (from PIX point of view), so, you would have to snif in front of your router to see the MAC-address of the device sending the packets.


Bytheway, this kind of suspicious traffic usely is an indication that clients are infected with some kind of worm and trying to explore the network. So, checking for the known worms on the client would be your next step when you discovered the one sending it.


Hope this helps,

Leo

Actions

This Discussion