cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1563
Views
0
Helpful
2
Replies

IP spoofing attack, how to identify the mac address?

rickan2000
Level 1
Level 1

Hi,

we are experiencing an IP-spoofing attack. We have a PIX 515 with 6 interfaces. On the intern interface we receive such error message:

PIX-1-106021: Deny udp reverse path check from 192.254.210.92 to 192.254.255.255 on interface intern

the Unicast RPF is configured on all interfaces.

Is this truely an attack? If yes, is there a chance to identify the MAC address of this IP? With other word, how can I identify the attacker?

Best thanks

2 Replies 2

vijkrish
Cisco Employee
Cisco Employee

Before you can confirm if this is an attack, pls. see:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

Look for 106021 in this document.

1. Check if there is a route for this IP in the PIX routing table. Identify if this IP belongs to the intern interface. What is the security level of this interface ?

2. Do you have asymmetric routing ?

It says:

Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path

Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source

address represented by a route and assumes that it is part of an attack on your PIX Firewall.

Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify

reverse-path command. This feature works on packets input to an interface; if it is configured on the outside,

then PIX Firewall checks packets arriving from the outside.

PIX Firewall looks up a route based on the src_addr. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.

If there is a route, PIX Firewall checks which interface it corresponds to. If the packet arrived on another

interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a

destination. PIX Firewall does not support asymmetric routing.

If configured on an internal interface, PIX Firewall checks static route command statements or RIP and if the

src_addr is not found, then an internal user is spoofing their address.

An attack is in progress. With this feature enabled, no user action is required. PIX Firewall repels the attack.

Hi,

thanks for your reply. I had read the dokument before I wrote my first message.

1. there is no route for this IP in the routing table.

2. there is no asymmetric routing

3. the intern interface has a ip from a fully different address domain.

4. if I run debug packet interface src 192.**** I see the packets from this IP are UDP-Datagram. Such IP-Packets have a size of 576 bytes and look like a broadcast message. (the destination is 192.254.255.255). So I think this IP belongs to the intern interface.

any idea?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: