[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

IP address spoofing

Posted on 2009-07-07
6
Medium Priority
?
550 Views
Last Modified: 2012-05-07
I am getting some errors from my firewall stating that server machines inside my network (Exchange Servers, Windows Serves, OS X servers, Solaris Server...) are being blocked attempting to connect to private IP addresses that are not a part of my network.  They are attemping to connect to high UDP ports on those IP addresses, the connection ports that are being reported from the servers are 1784, 1659, 1475, and a couple others.  I have looked at the servers and I know that the packets are not coming from them.  My assumption is that there is a device on my network that is spoofing the servers' IP addresses.  How do I find the device that is causing the issues?  My core switch is an Extreme Black Diamond.  The error that I am seeing from the firewall is

%ASA-2-106006: Deny inbound UDP from 10.1.1.144/1418 to 192.168.1.108/49175 on interface inside
0
Comment
Question by:warewols
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794637
Hello

at least the firewall is doing its job

see

http://www.experts-exchange.com/Security/Software_Firewalls/Q_24130845.html

the post is similar, looks like nothing to worry about, unless you get 1000's of these a day

are the ip ranges known in your network?

if not,  it seems like a malformed packet sent from outside your network in hopes of discovering machines inside your network

The packet is disguised to appear from inside your Lan to traverse firewalls, hopefully, called firewalking

If these are your IP address in your Lan, dont worry

Jfer
0
 

Author Comment

by:warewols
ID: 24794692
I am getting 1000's of these a minute.  It started about a week ago, and has been steadily climbing.  As far as I can tell, the traffic is originating from inside my network.  I just know that it is not originating from the source that it is claiming.  I have checked out the supposed source, from top to bottom, and have found nothing that could be causing the error.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794774
Can you verify your users have not installed peer 2 peer software, LimeWirte, Bit-Torrent related, or a net sniffer tool

judging by the output, this may be a posiblity, track the source ip to the machine

if you are adamant, and are 100% sure this is not from your Lan, verify the incoming traffic on your asa, try to see if you can capture the udp packet,

Jfer
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 

Author Comment

by:warewols
ID: 24794841
I am sure the traffic is being generated from my LAN, I am also sure that the traffic is not truly coming from the IP address stated in the firewall logs.  My thoughts are that either someone is maliciously spoofing the IP addresses of my servers or there is a process (ie virus, trojan, ad-ware, spyware) out on my internal network that is causing this traffic.  The really strange thing is that the log from the firewall is not specifying a MAC address in these firewall logs, but when the server does connect to the outside world, the firewall logs the server's MAC address.
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 1000 total points
ID: 24798505
How many machines are on your network? If there are less than  . . . .some large number  . . . get "Cain and Able" and use arp cache poisoning to vector all traffic -- one machine at a time -- through your machine. It's tedious but it will work.

Good luck,
SteveJ
0
 
LVL 9

Assisted Solution

by:jfer0x01
jfer0x01 earned 1000 total points
ID: 24799191
ok, get an application like LanGuard, NetCap, Wireshark, SolarWinds, etc

and make capture filter based on the size of the "spoofed" source packet

you cannot fool Layer Two, Like MAC Addresses for long, even though a MAC is changeable, the packet with have a MAC address somehow

Before all that, ask yourself this

Which employee / 's could actually poison the arp cache, or use tools to poison DNS?

Which employee/ 's have admin credentials to install the tools?

What motivation or goal are they accomplishing by doing this?


0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question