Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
grc
New Member

IP Spoof

I have been receiving the PIX syslog 106016 messages over the past week. I have recieved over 50 so far today. Like others, the source address is 127.0.0.1 and destination is one of our public IP address (at random). When sniffing the traffic, the source mac address is our perimeter router. My router has a CSU/DSU module installed, so I cannot put a sniffer outside. Is there any way to see the actual source mac address?

4 REPLIES
Silver

Re: IP Spoof

Hi,

On the PIX you can try to use the capture command, but again, it will show the MAC address of your router. ON your router, you can try to use "debug ip packet detail 101, where access-list 101 is

access-list 101 permit ip host 127.0.0.1 any"

I hope this will give you better picutre of the traffic.

Thanks

Nadeem

Re: IP Spoof

As Nadeem mentioned, the L2 addresses (source and dest MAC) are going to be re-written at each L3 hop. In order to find the culprit in this case, you are going to need to involve your ISP for assistance. The best bet here is to take a look at the TTL values and use some educated guesses to find out how many hops away the actual source of the packets was. Do all of the packets you captured in your trace have the same TTL? Different? If the same, you can possibly assume that the packets are all being sent from the same host. Your ISP will most likely be of little help in this though since the packets are causing no real problems on your network. But you will need to go higher up than the PIX to find the culprit.

Scott

New Member

Re: IP Spoof

I have seen this attack last week and it appears to be a teardrop attack in it's simularity to its fragmented packet vector. It appears that packet A is being over written by packet B, thus it's simularity to a teardrop or Pepsi attack vector. The PIX will block it because it see a loopback address as a spoofed IP. I have tried to work with many ISP's tracking down the source of problems, and the problem is the farther away from your ISP you track back the less likely downstream ISP's will work with you. They don't have the time or resources. Good luck.

grc
New Member

Re: IP Spoof

Thanks for all of your replies. The ttl is the same on all packets (120) that I have captured. I'm going to do more captures today. Is there a way I can get the source info from the syslog of the router? I compared the syslog of the router and pix, but could not seem to find the correct match. Thanks again for all the tips.

97
Views
0
Helpful
4
Replies
CreatePlease to create content