Solved

IP address spoofing

Posted on 2009-07-07
6
477 Views
Last Modified: 2012-05-07
I am getting some errors from my firewall stating that server machines inside my network (Exchange Servers, Windows Serves, OS X servers, Solaris Server...) are being blocked attempting to connect to private IP addresses that are not a part of my network.  They are attemping to connect to high UDP ports on those IP addresses, the connection ports that are being reported from the servers are 1784, 1659, 1475, and a couple others.  I have looked at the servers and I know that the packets are not coming from them.  My assumption is that there is a device on my network that is spoofing the servers' IP addresses.  How do I find the device that is causing the issues?  My core switch is an Extreme Black Diamond.  The error that I am seeing from the firewall is

%ASA-2-106006: Deny inbound UDP from 10.1.1.144/1418 to 192.168.1.108/49175 on interface inside
0
Comment
Question by:warewols
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794637
Hello

at least the firewall is doing its job

see

http://www.experts-exchange.com/Security/Software_Firewalls/Q_24130845.html

the post is similar, looks like nothing to worry about, unless you get 1000's of these a day

are the ip ranges known in your network?

if not,  it seems like a malformed packet sent from outside your network in hopes of discovering machines inside your network

The packet is disguised to appear from inside your Lan to traverse firewalls, hopefully, called firewalking

If these are your IP address in your Lan, dont worry

Jfer
0
 

Author Comment

by:warewols
ID: 24794692
I am getting 1000's of these a minute.  It started about a week ago, and has been steadily climbing.  As far as I can tell, the traffic is originating from inside my network.  I just know that it is not originating from the source that it is claiming.  I have checked out the supposed source, from top to bottom, and have found nothing that could be causing the error.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794774
Can you verify your users have not installed peer 2 peer software, LimeWirte, Bit-Torrent related, or a net sniffer tool

judging by the output, this may be a posiblity, track the source ip to the machine

if you are adamant, and are 100% sure this is not from your Lan, verify the incoming traffic on your asa, try to see if you can capture the udp packet,

Jfer
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:warewols
ID: 24794841
I am sure the traffic is being generated from my LAN, I am also sure that the traffic is not truly coming from the IP address stated in the firewall logs.  My thoughts are that either someone is maliciously spoofing the IP addresses of my servers or there is a process (ie virus, trojan, ad-ware, spyware) out on my internal network that is causing this traffic.  The really strange thing is that the log from the firewall is not specifying a MAC address in these firewall logs, but when the server does connect to the outside world, the firewall logs the server's MAC address.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 250 total points
ID: 24798505
How many machines are on your network? If there are less than  . . . .some large number  . . . get "Cain and Able" and use arp cache poisoning to vector all traffic -- one machine at a time -- through your machine. It's tedious but it will work.

Good luck,
SteveJ
0
 
LVL 9

Assisted Solution

by:jfer0x01
jfer0x01 earned 250 total points
ID: 24799191
ok, get an application like LanGuard, NetCap, Wireshark, SolarWinds, etc

and make capture filter based on the size of the "spoofed" source packet

you cannot fool Layer Two, Like MAC Addresses for long, even though a MAC is changeable, the packet with have a MAC address somehow

Before all that, ask yourself this

Which employee / 's could actually poison the arp cache, or use tools to poison DNS?

Which employee/ 's have admin credentials to install the tools?

What motivation or goal are they accomplishing by doing this?


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Issue with  IP address/conflict 10 87
P2P and MPLS 3 41
SOFS cluser offline 3 39
Reseller Hosting 2 35
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now