Solved: ASA capture utility / IP spoof

forman102 · ‎07-22-2010

Hello,

I had received couple of notifications from ASA regarding IP spoof attempts:

:Jul 21 14:06:56 EDT: %ASA-session-2-106016: Deny IPspoof from (127.0.0.1) to 64.x.x.x on interface inside

I wanted to get some more info to eliminate any infected clients on my internal network. I research this forum and configured access list to capture suspicious traffic:

ciscoasa(config)#access-list incap permit ip host 127.0.0.1 any
ciscoasa(config)#access-list incap permit ip any host 127.0.0.1
ciscoasa(config)#capture incap access-list incap interface inside

Could somone tell me if I had done it correctly?

Here's the result of the "show capture incap":

6 packets captured

   1: 12:13:25.984049 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385139 0,nop,wscale 0>
   2: 12:13:28.975047 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385439 0,nop,wscale 0>
   3: 12:16:45.147239 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405056 0,nop,wscale 0>
   4: 12:16:48.137764 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405356 0,nop,wscale 0>
   5: 14:06:53.636197 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243907855 0,nop,wscale 0>
   6: 14:06:56.629789 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243908155 0,nop,wscale 0>
6 packets shown

How can I indentify the offending host on my inside network? Also the x-ed public IPs point to one of the local businesses and seems that it's their totally unsecured IIS server. Is it ok to contact the company's IT dept regarding this? or report it somewhre else?

Thank you,

forman

mirober2 · ‎07-22-2010

Hi Forman,

No worries. If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.

-Mike

View solution in original post

Jitendriya Athavale · ‎07-22-2010

you can do show cap capname detail

View solution in original post

Jennifer Halim · ‎07-22-2010

You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.

View solution in original post

mirober2 · ‎07-22-2010

Hi Forman,

You could try looking at the MAC address of the offender and tracing it back through your switch to find out what machine it is coming from. Depending on your environment though (for example, if the host is a wireless client), this might not be too helpful. If the attacker can spoof their IP address, they could also be spoofing their MAC address.

Hope that helps.

-Mike

forman102 · ‎07-22-2010

Thanks Mike. I think I'm missing something obvious here... How can I find the MAC address of the offender?

Sorry if this sounds ignorant, but I don't have much experience with ASA.

thanks again

forman

mirober2 · ‎07-22-2010

Hi Forman,

No worries. If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.

-Mike

Jitendriya Athavale · ‎07-22-2010

you can do show cap capname detail

Jitendriya Athavale · ‎07-22-2010

also i would not expect to see any traffic from this local loopback ip 127.0.0.1 on any interface of firewall

so i guess you should block this ip on all interfaces as many virus/scanning hosts use this ip as source and also i cannot think of any legitimate traffic using this ip

probably someone can confirm this

Jennifer Halim · ‎07-22-2010

You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.

forman102 · ‎07-22-2010

Thank you everyone for help!

forman102 · ‎07-22-2010

1 more question: what's the interprentation of this line (sh capture incap detail):

1: 12:13:25.98404 MAC1 MAC2 0x0800 74: 127.0.0.1.37948 > 65.x.x.x.80: S [tcp sum ok] 662274405:662274405(0) win 5840 (DF) (ttl 64, id 53078)

There are 2 MAC addresses involved: MAC2 is ASA Inside Int and MAC1 is web filter connected directly to ASA's Inside Int. What's exactly happaning here? I assume that the offending device is a web filter, correct? I don't think that there's anything I can do to eliminate this (other than completely blocking traffic to/from loopback int) ?

thanks

forman

Jennifer Halim · ‎07-22-2010

127.0.0.1 is a loopback ip address. As you advised, that MAC 1 belongs to the web filtering server mac address, you might want to check why it's sending traffic sourcing from its loopback address (127.0.0.1)

Here is more information on what that particular syslog actually means:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768961