Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

access-list to block ip spoof

Posted on 2003-10-27
8
Medium Priority
?
1,844 Views
Last Modified: 2007-12-19
I have a PIX firewall that is connected to the Internet (without router). I am seeing a lot of deny ip spood from 127.0.0.1 on my syslog. I know that you can implement some access-list on the router to fight ip spoof but I tried the same command in my pix without success. what are the rights command on the pix to fight ip spoof?
0
Comment
Question by:tshi5791
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9675953
A good reference is here:
http://www.thewaystation.com/techref/internet-in.shtml

The main thrust of it is that you should block inbound traffic on your outside interface from those addresses that will NEVER be valid on that interface (ie. loopback address, private addresses, broadcast addresses, etc.)

To be safe you would also apply an access list inbound on your inside interface only allowing traffic from the subnet ranges that are actually on your inside network.

The above link is for Cisco routers, but is easily modified for the PIX. Just remember that the subnet masks are backwards !
0
 

Author Comment

by:tshi5791
ID: 9851430
Hi td_miles

Though I am getting this message from my syslog:
"2003-12-01 08:28:22      User.Critical      194.10.1.110      Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",

when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log

This acce
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9854374
Is access-list 104 applied to the outside interface ?

from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:tshi5791
ID: 9858096
Hi td_miles

yes the access-list is applied to the outside interface.

When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9863157
from what you have posted above, you are only showing part of the access-list. Can you post the whole access-list please. It is possible that a previous line in the ACL is matching the traffic first and so it is not getting to the deny statements.
0
 

Author Comment

by:tshi5791
ID: 9867640
Here is.

access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
LVL 13

Accepted Solution

by:
td_miles earned 300 total points
ID: 9870839
After reading some documentation on the spoofing log message, it appears that the PIX is automatically configured to deny packets with an invalid source address, specifically where the source address:

* Loopback network (127.0.0.0)
* Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)
* The destination host (land.c)

Which would mean that the PIX is blocking it automatically and you don't need it in the ACL (and hence why it is not being matched in the ACL, the PIX blocks it before it gets to the ACL).

If you want to stop this message from appearing in the logs, use the "no log" command:

no logging message 106016

or you can change the level that it logs this message at, again using the logging command:

logging message 106016 level 6   (to log it at the info level)

My apologies for not checking on this sooned.
0
 

Author Comment

by:tshi5791
ID: 9874155
td_miles,

No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.

Thanks again.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question