Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IP spoofing on GRE


I am having a problem on our network where

we are using GRE tunnels as our WAN/VPN to all our remote sites.Each GRE tunnel interface has got an ip address provided by the service provider.

My firewall is detecting IP spoffing from pretty much most of our remolte gre source addresses.

If i do an IP accounting on our core router on the serial interface it shows loads of 56 byte packets coming in a with a source gre tunnel ip address trying to connect to loads of different destination internet addresses around the world.It only seems to b e one packet from laods of different site gre tunnel addresses.They are all only 56 byte packets and it is protocol 1 which is ICMP.

My service provider told me its a worm bvut I dont think it is because all our remote servers are up to date with the latest virus definitions and we cant find a trace of any worm or virus.We run a citrix terminal server environment so it cant be on the remote desktops as they are dumb terminals.

I think that someone is spoofing and using our source address to try and connect to these different IP addresses on the internet.I also found that some of the source ip addresses are not even ours.It is the ip addresses of the service providers routers or something because they fall within the same subnet of the ip address provided for our gre tunnel interfaces.Can someone tell me how to stop this spoofing and whether I am correct.



Re: IP spoofing on GRE

The document 'Protecting Your Core: Infrastructure Protection Access Control Lists' should help you. It discusses protecting your tunnel interfaces and preventing spoofing.

CreatePlease to create content