We have a PIX device where it are suffering some strange behavior. In the PIX device, we receive large amount of Deny IP spoof messages like this:
%PIX-2-106016: Deny IP spoof from ("Internet IP Address") to 0.0.0.0 on interface DMZ1
The "destination" IP address is always "0.0.0.0" and, as showed in the data info collected from our sniffer and illustrated in the topology, in all cases it is a "SYN" packet and it "seems" that this packet is originating from Local Director devices because through the sniffer we always have seen this packet going from the Local Director toward the PIX device.
We have at least 10 different Internet IP address with the same message ("Deny IP spoof") on the PIX device.
As showed in the topology, behind the Local Director we do not see this type of traffic with sniffer attached in that segment and one more info about that traffic behavior is about the MAC, for both source and destination, is the same of that PIX DMZ1 interface.
haha..a smart spoofer at least he has done his google search well...
Anyways I assume that this syn packet is a fabricated packet, that means i can use 200 free utilities, at least that i know of,klcconsulting.net has designed a SMAC spoofer..works well for all packets from windows clients to spoof the mac address of any device and make it the MAC address of those spoofed packets hitting the firewall
Therefore its not surprising at all to see the MAC address of DMZ Interface for that packet
You might like to read these one fine sunday morning..:-)
1)Why dont you disconnet the Local director for few minutes or time being or else isolate the Pix interface where you are getting hit by these spoofed packets and see if you still notice this crappy traffic in the logs ?
This way we can at least isolate and narrow down the issue and then can further proceed ahead...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...