topic Re: Spoofing in Network Security

Spoofing

ray_stone — Mon, 11 Mar 2019 14:14:03 GMT

Hi,

We have installed ASA 5505 in production and getting huge following logs:

(106016) Deny IP spoof from(1.1.1.1) to 2.2.2.2 on interface outside

1.1.1.1 ----Outside Interface IP

2.2.2.2 ----Its a Internal Machine Public IP which is static using in static nat for internal machine.

Please advice, its an attack and what action need to be taken. Ray

Re: Spoofing

ray_stone — Wed, 19 Nov 2008 13:51:44 GMT

Can anyone respond on this as we are getting same huge logs so I wud request to all experts kindly advice me what to do with it as our production services are being affected. Please advice on priority basis. Thanks Ray

Re: Spoofing

John Blakley — Wed, 19 Nov 2008 15:16:15 GMT

What does your topology look like? It would be much easier to answer I think.

--John

Re: Spoofing

John Blakley — Wed, 19 Nov 2008 15:42:27 GMT

Per Cisco:

Explanation

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

*Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

HTH,

--John