Re: DENY IP SPOOF

dthomaz · ‎03-07-2002

I would like to know what this message means on the PIX log.

106016: Deny IP spoof from (255.255.255.255) to 193.10.10.193 on interface inside

Thanks,

dthomaz

rsnider · ‎03-07-2002

You will get this message when the PIX discards a packet from an invalid source address.

Check out the PIX manuals at the following link,

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

pick the version that aplies and look at the System Log Message chapter.

You may find the following url useful

http://www.cisco.com/pcgi-bin/front.x/csec/csecHome.pl

eperson2000 · ‎03-07-2002

Read the the message below:

log #106016

Explanation This message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid sources addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Furthermore, if sysopt connection enforcesubnet is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the PIX Firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the PIX Firewall to discard packets with source addresses belonging to the internal network.

Action

Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm#32161