Solved

IP address spoofing

Posted on 2009-07-07
6
489 Views
Last Modified: 2012-05-07
I am getting some errors from my firewall stating that server machines inside my network (Exchange Servers, Windows Serves, OS X servers, Solaris Server...) are being blocked attempting to connect to private IP addresses that are not a part of my network.  They are attemping to connect to high UDP ports on those IP addresses, the connection ports that are being reported from the servers are 1784, 1659, 1475, and a couple others.  I have looked at the servers and I know that the packets are not coming from them.  My assumption is that there is a device on my network that is spoofing the servers' IP addresses.  How do I find the device that is causing the issues?  My core switch is an Extreme Black Diamond.  The error that I am seeing from the firewall is

%ASA-2-106006: Deny inbound UDP from 10.1.1.144/1418 to 192.168.1.108/49175 on interface inside
0
Comment
Question by:warewols
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794637
Hello

at least the firewall is doing its job

see

http://www.experts-exchange.com/Security/Software_Firewalls/Q_24130845.html

the post is similar, looks like nothing to worry about, unless you get 1000's of these a day

are the ip ranges known in your network?

if not,  it seems like a malformed packet sent from outside your network in hopes of discovering machines inside your network

The packet is disguised to appear from inside your Lan to traverse firewalls, hopefully, called firewalking

If these are your IP address in your Lan, dont worry

Jfer
0
 

Author Comment

by:warewols
ID: 24794692
I am getting 1000's of these a minute.  It started about a week ago, and has been steadily climbing.  As far as I can tell, the traffic is originating from inside my network.  I just know that it is not originating from the source that it is claiming.  I have checked out the supposed source, from top to bottom, and have found nothing that could be causing the error.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794774
Can you verify your users have not installed peer 2 peer software, LimeWirte, Bit-Torrent related, or a net sniffer tool

judging by the output, this may be a posiblity, track the source ip to the machine

if you are adamant, and are 100% sure this is not from your Lan, verify the incoming traffic on your asa, try to see if you can capture the udp packet,

Jfer
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:warewols
ID: 24794841
I am sure the traffic is being generated from my LAN, I am also sure that the traffic is not truly coming from the IP address stated in the firewall logs.  My thoughts are that either someone is maliciously spoofing the IP addresses of my servers or there is a process (ie virus, trojan, ad-ware, spyware) out on my internal network that is causing this traffic.  The really strange thing is that the log from the firewall is not specifying a MAC address in these firewall logs, but when the server does connect to the outside world, the firewall logs the server's MAC address.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 250 total points
ID: 24798505
How many machines are on your network? If there are less than  . . . .some large number  . . . get "Cain and Able" and use arp cache poisoning to vector all traffic -- one machine at a time -- through your machine. It's tedious but it will work.

Good luck,
SteveJ
0
 
LVL 9

Assisted Solution

by:jfer0x01
jfer0x01 earned 250 total points
ID: 24799191
ok, get an application like LanGuard, NetCap, Wireshark, SolarWinds, etc

and make capture filter based on the size of the "spoofed" source packet

you cannot fool Layer Two, Like MAC Addresses for long, even though a MAC is changeable, the packet with have a MAC address somehow

Before all that, ask yourself this

Which employee / 's could actually poison the arp cache, or use tools to poison DNS?

Which employee/ 's have admin credentials to install the tools?

What motivation or goal are they accomplishing by doing this?


0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question