03-07-2007 12:18 PM - edited 03-11-2019 02:43 AM
Hi ALL,
We have a PIX device where it are suffering some strange behavior. In the PIX device, we receive large amount of Deny IP spoof messages like this:
%PIX-2-106016: Deny IP spoof from ("Internet IP Address") to 0.0.0.0 on interface DMZ1
The "destination" IP address is always "0.0.0.0" and, as showed in the data info collected from our sniffer and illustrated in the topology, in all cases it is a "SYN" packet and it "seems" that this packet is originating from Local Director devices because through the sniffer we always have seen this packet going from the Local Director toward the PIX device.
We have at least 10 different Internet IP address with the same message ("Deny IP spoof") on the PIX device.
Anyone already suffer this kind of behavior?.
Thanks,
Marcelo
03-07-2007 03:18 PM
PIX is doing its job by denying the spoofed packets. What you need to do is track this down.
Under attack issues, the best policy is always to move as close to source as possible. Now that you have already tracked that:
- PIX is recieving and denying the attack
- Attack packets are SYN packets
- they are various IP addresses
- packets are coming through the Local Director
Next step would be to move onto the Local Director and find what is the next device and how can we prevent these packets on the next device.
Regards,
Vibhor.
03-08-2007 10:56 AM
Hi Vibhor,
Ok, thanks for the notes that you provided.
As showed in the topology, behind the Local Director we do not see this type of traffic with sniffer attached in that segment and one more info about that traffic behavior is about the MAC, for both source and destination, is the same of that PIX DMZ1 interface.
Thanks,
Marcelo
03-08-2007 12:04 PM
haha..a smart spoofer at least he has done his google search well...
Anyways I assume that this syn packet is a fabricated packet, that means i can use 200 free utilities, at least that i know of,klcconsulting.net has designed a SMAC spoofer..works well for all packets from windows clients to spoof the mac address of any device and make it the MAC address of those spoofed packets hitting the firewall
Therefore its not surprising at all to see the MAC address of DMZ Interface for that packet
You might like to read these one fine sunday morning..:-)
http://www.xs4all.nl/~rmeijer/spoofing.html
http://archives.neohapsis.com/archives/incidents/2002-11/0030.html
My Suggestions :-
1)Why dont you disconnet the Local director for few minutes or time being or else isolate the Pix interface where you are getting hit by these spoofed packets and see if you still notice this crappy traffic in the logs ?
This way we can at least isolate and narrow down the issue and then can further proceed ahead...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide