ip spoofed packets on a LAN, how to identify the source ? - Security

This is a discussion on ip spoofed packets on a LAN, how to identify the source ? - Security ; Hello everybody, I have about five servers behind a Cisco ASA, using local IP addresses, like 192.168.0.0/24, on a switch. The Cisco gives access to internal services using static NAT, by IP/ports. The three first ones, on windows, have been ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ip spoofed packets on a LAN, how to identify the source ?

  1. ip spoofed packets on a LAN, how to identify the source ?

    Hello everybody,

    I have about five servers behind a Cisco ASA, using local IP
    addresses, like 192.168.0.0/24, on a switch. The Cisco gives access to
    internal services using static NAT, by IP/ports.

    The three first ones, on windows, have been installed before I came. The
    two other ones are linux servers, with kvm installed, and the network
    connection with virtual machine use bridges.

    I have a virtualised mail server, and the Cisco make static NAT on ports
    993 and 25 on this server. If I try to access another port from an
    external IP, the connection is refused, which is normal.

    Because I don't trust other machines already in place, I have temporary
    added a software firewall on it. It's a simple linux mail server, and the
    firewall is iptables. The input/output/forward policies are set to log
    and drop.

    However, I receive on this internal interface packets that "seems" come
    from external addresses, for instance source is 60.172.223.15, and
    destination port is 8000.

    I think the Cisco doesn't left enter IP spoofed packets on the external
    interface.

    So, it's a local server that send IP spoofed packets, and try to bounce
    on my server ? Is this thing possible, and if yes, do you know a way to
    identify the machine. The MAC address of the source packets is false...

    Thanks for any idea you have.

  2. Re: ip spoofed packets on a LAN, how to identify the source ?

    Andre Rodier wrote:
    > Hello everybody,
    >
    > I have about five servers behind a Cisco ASA, using local IP
    > addresses, like 192.168.0.0/24, on a switch. The Cisco gives access to
    > internal services using static NAT, by IP/ports.
    >
    > [snip]
    >
    > So, it's a local server that send IP spoofed packets, and try to bounce
    > on my server ? Is this thing possible, and if yes, do you know a way to
    > identify the machine. The MAC address of the source packets is false...


    It's not a Linux question, but ...

    Even if the source MAC is spoofed, too, you can sometimes look in the
    arp table on your switch (before it expires, so you have to be fast) to
    see what port is associated with the suspect MAC address.

    BTW, if the packet is making it through the ASA, then the source MAC
    address you see on your server would be the MAC of the ASA. Make sure
    the MAC you think is spoofed isn't really the ASA.

    If you're not the switch admin, then make him your buddy. He might have
    extra diagnostic tools that can help. It kind of depends on the switch
    and how much instrumentation your company have around it.

  3. Re: ip spoofed packets on a LAN, how to identify the source ?

    On Mon, 26 May 2008 01:32:41 -0500, Allen Kistler wrote:

    > Andre Rodier wrote:
    >> Hello everybody,
    >>
    >> I have about five servers behind a Cisco ASA, using local IP addresses,
    >> like 192.168.0.0/24, on a switch. The Cisco gives access to internal
    >> services using static NAT, by IP/ports.
    >>
    >> [snip]
    >>
    >> So, it's a local server that send IP spoofed packets, and try to bounce
    >> on my server ? Is this thing possible, and if yes, do you know a way to
    >> identify the machine. The MAC address of the source packets is false...

    >
    > It's not a Linux question, but ...
    >
    > Even if the source MAC is spoofed, too, you can sometimes look in the
    > arp table on your switch (before it expires, so you have to be fast) to
    > see what port is associated with the suspect MAC address.
    >
    > BTW, if the packet is making it through the ASA, then the source MAC
    > address you see on your server would be the MAC of the ASA. Make sure
    > the MAC you think is spoofed isn't really the ASA.
    >
    > If you're not the switch admin, then make him your buddy. He might have
    > extra diagnostic tools that can help. It kind of depends on the switch
    > and how much instrumentation your company have around it.


    Thank you for your help, even if this list is not the best appropriate. I
    just wanted to know if a tool for tracing spoofed packets exists on
    Linux, but I think it's impossible.

    The mac is not the cisco one, that I have already tried.

    I'll do what you have says about the switch arp table.

    Thank you again.
    andre.

+ Reply to Thread