We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

IP address spoofing

warewols
warewols asked
on
Medium Priority
592 Views
Last Modified: 2012-05-07
I am getting some errors from my firewall stating that server machines inside my network (Exchange Servers, Windows Serves, OS X servers, Solaris Server...) are being blocked attempting to connect to private IP addresses that are not a part of my network.  They are attemping to connect to high UDP ports on those IP addresses, the connection ports that are being reported from the servers are 1784, 1659, 1475, and a couple others.  I have looked at the servers and I know that the packets are not coming from them.  My assumption is that there is a device on my network that is spoofing the servers' IP addresses.  How do I find the device that is causing the issues?  My core switch is an Extreme Black Diamond.  The error that I am seeing from the firewall is

%ASA-2-106006: Deny inbound UDP from 10.1.1.144/1418 to 192.168.1.108/49175 on interface inside
Comment
Watch Question

Commented:
Hello

at least the firewall is doing its job

see

https://www.experts-exchange.com/Security/Software_Firewalls/Q_24130845.html

the post is similar, looks like nothing to worry about, unless you get 1000's of these a day

are the ip ranges known in your network?

if not,  it seems like a malformed packet sent from outside your network in hopes of discovering machines inside your network

The packet is disguised to appear from inside your Lan to traverse firewalls, hopefully, called firewalking

If these are your IP address in your Lan, dont worry

Jfer

Author

Commented:
I am getting 1000's of these a minute.  It started about a week ago, and has been steadily climbing.  As far as I can tell, the traffic is originating from inside my network.  I just know that it is not originating from the source that it is claiming.  I have checked out the supposed source, from top to bottom, and have found nothing that could be causing the error.

Commented:
Can you verify your users have not installed peer 2 peer software, LimeWirte, Bit-Torrent related, or a net sniffer tool

judging by the output, this may be a posiblity, track the source ip to the machine

if you are adamant, and are 100% sure this is not from your Lan, verify the incoming traffic on your asa, try to see if you can capture the udp packet,

Jfer

Author

Commented:
I am sure the traffic is being generated from my LAN, I am also sure that the traffic is not truly coming from the IP address stated in the firewall logs.  My thoughts are that either someone is maliciously spoofing the IP addresses of my servers or there is a process (ie virus, trojan, ad-ware, spyware) out on my internal network that is causing this traffic.  The really strange thing is that the log from the firewall is not specifying a MAC address in these firewall logs, but when the server does connect to the outside world, the firewall logs the server's MAC address.
Sr Manager Cloud Networking Ops
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.