Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Spoofing messages on PIX

Hi ALL,

We have a PIX device where it are suffering some strange behavior. In the PIX device, we receive large amount of Deny IP spoof messages like this:

%PIX-2-106016: Deny IP spoof from ("Internet IP Address") to 0.0.0.0 on interface DMZ1

The "destination" IP address is always "0.0.0.0" and, as showed in the data info collected from our sniffer and illustrated in the topology, in all cases it is a "SYN" packet and it "seems" that this packet is originating from Local Director devices because through the sniffer we always have seen this packet going from the Local Director toward the PIX device.

We have at least 10 different Internet IP address with the same message ("Deny IP spoof") on the PIX device.

Anyone already suffer this kind of behavior?.

Thanks,

Marcelo

3 REPLIES
Silver

Re: IP Spoofing messages on PIX

PIX is doing its job by denying the spoofed packets. What you need to do is track this down.

Under attack issues, the best policy is always to move as close to source as possible. Now that you have already tracked that:

- PIX is recieving and denying the attack

- Attack packets are SYN packets

- they are various IP addresses

- packets are coming through the Local Director

Next step would be to move onto the Local Director and find what is the next device and how can we prevent these packets on the next device.

Regards,

Vibhor.

New Member

Re: IP Spoofing messages on PIX

Hi Vibhor,

Ok, thanks for the notes that you provided.

As showed in the topology, behind the Local Director we do not see this type of traffic with sniffer attached in that segment and one more info about that traffic behavior is about the MAC, for both source and destination, is the same of that PIX DMZ1 interface.

Thanks,

Marcelo

Cisco Employee

Re: IP Spoofing messages on PIX

haha..a smart spoofer at least he has done his google search well...

Anyways I assume that this syn packet is a fabricated packet, that means i can use 200 free utilities, at least that i know of,klcconsulting.net has designed a SMAC spoofer..works well for all packets from windows clients to spoof the mac address of any device and make it the MAC address of those spoofed packets hitting the firewall

Therefore its not surprising at all to see the MAC address of DMZ Interface for that packet

You might like to read these one fine sunday morning..:-)

http://www.xs4all.nl/~rmeijer/spoofing.html

http://archives.neohapsis.com/archives/incidents/2002-11/0030.html

My Suggestions :-

1)Why dont you disconnet the Local director for few minutes or time being or else isolate the Pix interface where you are getting hit by these spoofed packets and see if you still notice this crappy traffic in the logs ?

This way we can at least isolate and narrow down the issue and then can further proceed ahead...

284
Views
0
Helpful
3
Replies