05-17-2002 01:42 AM - edited 03-08-2019 10:40 PM
Hi,
we are experiencing an IP-spoofing attack. We have a PIX 515 with 6 interfaces. On the intern interface we receive such error message:
PIX-1-106021: Deny udp reverse path check from 192.254.210.92 to 192.254.255.255 on interface intern
the Unicast RPF is configured on all interfaces.
Is this truely an attack? If yes, is there a chance to identify the MAC address of this IP? With other word, how can I identify the attacker?
Best thanks
05-17-2002 02:54 AM
Before you can confirm if this is an attack, pls. see:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm
Look for 106021 in this document.
1. Check if there is a route for this IP in the PIX routing table. Identify if this IP belongs to the intern interface. What is the security level of this interface ?
2. Do you have asymmetric routing ?
It says:
Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path
Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source
address represented by a route and assumes that it is part of an attack on your PIX Firewall.
Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify
reverse-path command. This feature works on packets input to an interface; if it is configured on the outside,
then PIX Firewall checks packets arriving from the outside.
PIX Firewall looks up a route based on the src_addr. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.
If there is a route, PIX Firewall checks which interface it corresponds to. If the packet arrived on another
interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a
destination. PIX Firewall does not support asymmetric routing.
If configured on an internal interface, PIX Firewall checks static route command statements or RIP and if the
src_addr is not found, then an internal user is spoofing their address.
An attack is in progress. With this feature enabled, no user action is required. PIX Firewall repels the attack.
05-17-2002 04:44 AM
Hi,
thanks for your reply. I had read the dokument before I wrote my first message.
1. there is no route for this IP in the routing table.
2. there is no asymmetric routing
3. the intern interface has a ip from a fully different address domain.
4. if I run debug packet interface src 192.**** I see the packets from this IP are UDP-Datagram. Such IP-Packets have a size of 576 bytes and look like a broadcast message. (the destination is 192.254.255.255). So I think this IP belongs to the intern interface.
any idea?
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: