Solved

IP address spoofing

Posted on 2009-07-07
6
531 Views
Last Modified: 2012-05-07
I am getting some errors from my firewall stating that server machines inside my network (Exchange Servers, Windows Serves, OS X servers, Solaris Server...) are being blocked attempting to connect to private IP addresses that are not a part of my network.  They are attemping to connect to high UDP ports on those IP addresses, the connection ports that are being reported from the servers are 1784, 1659, 1475, and a couple others.  I have looked at the servers and I know that the packets are not coming from them.  My assumption is that there is a device on my network that is spoofing the servers' IP addresses.  How do I find the device that is causing the issues?  My core switch is an Extreme Black Diamond.  The error that I am seeing from the firewall is

%ASA-2-106006: Deny inbound UDP from 10.1.1.144/1418 to 192.168.1.108/49175 on interface inside
0
Comment
Question by:warewols
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794637
Hello

at least the firewall is doing its job

see

http://www.experts-exchange.com/Security/Software_Firewalls/Q_24130845.html

the post is similar, looks like nothing to worry about, unless you get 1000's of these a day

are the ip ranges known in your network?

if not,  it seems like a malformed packet sent from outside your network in hopes of discovering machines inside your network

The packet is disguised to appear from inside your Lan to traverse firewalls, hopefully, called firewalking

If these are your IP address in your Lan, dont worry

Jfer
0
 

Author Comment

by:warewols
ID: 24794692
I am getting 1000's of these a minute.  It started about a week ago, and has been steadily climbing.  As far as I can tell, the traffic is originating from inside my network.  I just know that it is not originating from the source that it is claiming.  I have checked out the supposed source, from top to bottom, and have found nothing that could be causing the error.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794774
Can you verify your users have not installed peer 2 peer software, LimeWirte, Bit-Torrent related, or a net sniffer tool

judging by the output, this may be a posiblity, track the source ip to the machine

if you are adamant, and are 100% sure this is not from your Lan, verify the incoming traffic on your asa, try to see if you can capture the udp packet,

Jfer
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:warewols
ID: 24794841
I am sure the traffic is being generated from my LAN, I am also sure that the traffic is not truly coming from the IP address stated in the firewall logs.  My thoughts are that either someone is maliciously spoofing the IP addresses of my servers or there is a process (ie virus, trojan, ad-ware, spyware) out on my internal network that is causing this traffic.  The really strange thing is that the log from the firewall is not specifying a MAC address in these firewall logs, but when the server does connect to the outside world, the firewall logs the server's MAC address.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 250 total points
ID: 24798505
How many machines are on your network? If there are less than  . . . .some large number  . . . get "Cain and Able" and use arp cache poisoning to vector all traffic -- one machine at a time -- through your machine. It's tedious but it will work.

Good luck,
SteveJ
0
 
LVL 9

Assisted Solution

by:jfer0x01
jfer0x01 earned 250 total points
ID: 24799191
ok, get an application like LanGuard, NetCap, Wireshark, SolarWinds, etc

and make capture filter based on the size of the "spoofed" source packet

you cannot fool Layer Two, Like MAC Addresses for long, even though a MAC is changeable, the packet with have a MAC address somehow

Before all that, ask yourself this

Which employee / 's could actually poison the arp cache, or use tools to poison DNS?

Which employee/ 's have admin credentials to install the tools?

What motivation or goal are they accomplishing by doing this?


0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question