Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP spoofing on GRE

Unanswered Question
Sep 29th, 2003
User Badges:


I am having a problem on our network where

we are using GRE tunnels as our WAN/VPN to all our remote sites.Each GRE tunnel interface has got an ip address provided by the service provider.

My firewall is detecting IP spoffing from pretty much most of our remolte gre source addresses.

If i do an IP accounting on our core router on the serial interface it shows loads of 56 byte packets coming in a with a source gre tunnel ip address trying to connect to loads of different destination internet addresses around the world.It only seems to b e one packet from laods of different site gre tunnel addresses.They are all only 56 byte packets and it is protocol 1 which is ICMP.

My service provider told me its a worm bvut I dont think it is because all our remote servers are up to date with the latest virus definitions and we cant find a trace of any worm or virus.We run a citrix terminal server environment so it cant be on the remote desktops as they are dumb terminals.

I think that someone is spoofing and using our source address to try and connect to these different IP addresses on the internet.I also found that some of the source ip addresses are not even ours.It is the ip addresses of the service providers routers or something because they fall within the same subnet of the ip address provided for our gre tunnel interfaces.Can someone tell me how to stop this spoofing and whether I am correct.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsivulka Fri, 10/03/2003 - 10:28
User Badges:
  • Bronze, 100 points or more

The document 'Protecting Your Core: Infrastructure Protection Access Control Lists' should help you. It discusses protecting your tunnel interfaces and preventing spoofing.


This Discussion