Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Spoofed Source IP's

Posted on 2005-04-26
9
Medium Priority
?
3,972 Views
Last Modified: 2013-11-16
I have a Cisco based network and a Watchguard Firewall - I have a 192.168.1.x, 192.168.2.x, and 192.168.4.x VLANS and subnets set up.  In my Watchguard I am getting many spoofed IP's from the inside from 10.3.26.240 and 10.6.34.240 - I know this can mean a misconfigured device somewhere on the network - any tips on how to locate the device on the LAN that is causing the spoofs?
0
Comment
Question by:mrsmileyns
  • 4
  • 4
9 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 700 total points
ID: 13868668
Try getting the mac address of the ip, it should be in the arp table of your cisco routers or even the watchguard firewall.
Router# show arp | include 10.3.26
or
Router# show arp | include 10.6.34

Once you locate the mac, you can show cam (catalyst switches) or show mac-address-table on the smaller 3500 series switches
Switch# show cam 00-00-B0-DO-12-34
or
Switch#show mac-address-table 00-00-B0-DO-12-34

That should get you a place to start physically tracing the cable/port to.
-rich
0
 

Author Comment

by:mrsmileyns
ID: 13869362
I went to every switch and router - I don't see these IP's in any arp cache - I have also been using a packet sniffer and network scanner to try to figure it out but alas no luck yet.  I put a test PC on the "rogue" subnet to try to track it down but could not - I also enabled port monitoring on the switchport of the monitoring PC to try to capture the traffic but still no luck.  I suppose it is possible it is originating from an alternate VLAN.  This isn't killing my network but I'd like to get it squared away - it's proving to be difficult to track down.
0
 
LVL 8

Assisted Solution

by:ViRoy
ViRoy earned 300 total points
ID: 13869508

disconnect the computers 1 by one! :D j/k

you should be able to figure this out with a laptop sniffer by connecting to individual switches. once you isolate the segment in which the ip's are coming from, you can narrow it down quickly by making stops to the computers in that particular segment. since you probably dont have anything larger than a 48 port switch, it should be one of those 48.

 when you say your "getting" spoofed IP's, do you mean that something (DHCP) is assigning these IP's? or are you assigning these IP's. i dont understand what u mean by "getting".

0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 

Author Comment

by:mrsmileyns
ID: 13869617
the only place i see these is in the live traffic monitor of the firewall - it shows an ip of for example 10.3.26.240 for destination 10.3.26.255 - some sort of broadcast - they come in "bundles" of like 10 packets at a time - it looks like it is source and destination port of 179 or 178 - the only traffic monitor i see these in as these network addresses is the firewall...and it states - denied - spoofed address
0
 

Author Comment

by:mrsmileyns
ID: 13870153
In addition to my LAN we have a couple of vendor managed financial servers on the network - on a hunch we checked with them to see what these IP's mean to them - bingo - these are the ip's of those servers on the vendor's side of each of those circuits - the servers are actually routers as well - one side is theirs, one side is ours to the LAN - they are looking into their config and will get the boxes to stop broadcasting
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13870187
So your router's arp table doesnt list them?
Show arp  (for a cisco) weird.... I assume they are hitting the inside interface (private int) of your firewall.
PORTS
nextstep      178/tcp            NeXTStep NextStep      # NeXTStep window
nextstep      178/udp            NeXTStep NextStep      # server
bgp            179/tcp                        # Border Gateway Proto.
bgp            179/udp

The port179 is a little dishearting, as BGP is a routing protocol (typically that's what this port is used for)
x.x.x.255 is typically the brodcast address of a /24 subnet (1.2.3.x 255.255.255.0) and perhaps with ethereal you could determine the packet's contents...

If you have a cisco catalyst switch it's easy to set up a sniffing box to recieve all the same traffic that your firewall is seeing

Port 2/34 = your firewall, inside interface (for example)
port 5/21 = your sniffer pc

set span 2/34 5/21

or you can use vlans

set span vlan 2-100 5/21

or

set span vlan 2, 5-7, 8, 10-20 5/21

Ethereal is a great sniffer, if your not using it, you may want to consider it.
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13870190
ahh, posted too late... glad to hear you may have a solution now.
-rich
0
 

Author Comment

by:mrsmileyns
ID: 13870246
I was working with ethereal - this question gave me some pointers on how to use it better - I am honestly not sure who to give the points to - I sort of figured it out on my own - but everyone here taught me something new - I guess I'll split em up somehow :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13870301
It's easy to split the points when you accept the answer, you can also get a refund if that is your wish, post a question on community support

Here is an added bonus, an ethereal capture filter tutorial:
Here are some Ethereal capture filters- THE EXAMPLES PROBABLY HELP MORE

host host            host is either the ip address or host name "host FRED" is the same as "host 10.0.0.21"
src host host              Capture all packets where host is the source "src host FRED is the same as src host 10.0.0.21"
dst host host            Capture all packets where host is the destination

Examples:
host 10.10.10.10                   Capture all packets to and from 10.10.10.10
src host 10.10.10.10                   Capture all packets where 10.10.10.10 is the source
dst host 10.10.10.10                   Capture all packets where 10.10.10.10 is the destination

--------------------------------------------------
Port filtering:
Syntax Description
port port                         Capture all packets where port is either the source or destination  
src port port                         Capture all packets where port is the source port
dst port port                         Capture all packets where port is the destination port

Examples:
port 80                         Capture all packets where 80 is either the source or destination port
src port 80                         Capture all packets where 80 is the source port
dst port 80                         Capture all packets where 80 is the destination port

--------------------------------------------------
Network filtering:
Syntax Description
net net                         Capture all packets to/from net
src net net                         Capture all packets where net is the source
dst net net                         Capture all packets where net is the destination

Examples:
net 192.168                         Capture all packets where the network is 192.168.0.0
src net 192.168                   Capture all packets where the 192.168.0.0 network is the source
dst net 192.168                   Capture all packets where the 192.168.0.0 network is the destination

--------------------------------------------------
Protocol Based Filters

Ethernet Based:
Syntax Description
ether proto \[primitive name]

Examples:       
ether proto \ip or just ip             Capture all ip packets
ether proto \arp or just arp             Capture all address resolution protocol packets
ether proto \rarp or just rarp             Capture all reverse arp packets

--------------------------------------------------
IP Based:
Syntax Description
ip proto \[primitive name]

Examples:
ip proto \tcp or just tcp             Capture all TCP segments (packets)
ip proto \udp or just udp             Capture all UDP packets
ip proto \icmp or just icmp             Capture all ICMP packets

--------------------------------------------------
Combining Primitive Expressions
You may combine primitive expressions using the following:
Negation: ! or not
Concatenation: && or and
Alternation: || or or

Examples:
host 10.10.10.10 && ! net 192.168       Capture all packets to/from 10.10.10.10 that are not to/from 192.168.0.0
host 10.10.10.10 && port 80             Capture all packets to/from 10.10.10.10 and are sourced/destined on 80

Remember you can filter with "NOT" as well.
port 4444 or port 69 and not port 1433 and not port 1159

tcp port 4444 ! port 135 (capture all traffic with 4444 in the dest/src and not going to port 135 udp or tcp)

-rich
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question