Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
980
Views
0
Helpful
1
Replies

IP spoofing on GRE

ward
Level 1
Level 1

‎09-29-2003 05:48 AM - edited ‎03-09-2019 04:57 AM

Hi

I am having a problem on our network where

we are using GRE tunnels as our WAN/VPN to all our remote sites.Each GRE tunnel interface has got an ip address provided by the service provider.

My firewall is detecting IP spoffing from pretty much most of our remolte gre source addresses.

If i do an IP accounting on our core router on the serial interface it shows loads of 56 byte packets coming in a with a source gre tunnel ip address trying to connect to loads of different destination internet addresses around the world.It only seems to b e one packet from laods of different site gre tunnel addresses.They are all only 56 byte packets and it is protocol 1 which is ICMP.

My service provider told me its a worm bvut I dont think it is because all our remote servers are up to date with the latest virus definitions and we cant find a trace of any worm or virus.We run a citrix terminal server environment so it cant be on the remote desktops as they are dumb terminals.

I think that someone is spoofing and using our source address to try and connect to these different IP addresses on the internet.I also found that some of the source ip addresses are not even ours.It is the ip addresses of the service providers routers or something because they fall within the same subnet of the ip address provided for our gre tunnel interfaces.Can someone tell me how to stop this spoofing and whether I am correct.

Thanks

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎10-03-2003 10:28 AM

The document 'Protecting Your Core: Infrastructure Protection Access Control Lists' should help you. It discusses protecting your tunnel interfaces and preventing spoofing.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents