Spoofing

ray_stone · ‎11-17-2008

Hi,

We have installed ASA 5505 in production and getting huge following logs:

(106016) Deny IP spoof from(1.1.1.1) to 2.2.2.2 on interface outside

1.1.1.1 ----Outside Interface IP

2.2.2.2 ----Its a Internal Machine Public IP which is static using in static nat for internal machine.

Please advice, its an attack and what action need to be taken. Ray

ray_stone · ‎11-19-2008

Can anyone respond on this as we are getting same huge logs so I wud request to all experts kindly advice me what to do with it as our production services are being affected. Please advice on priority basis. Thanks Ray

John Blakley · ‎11-19-2008

What does your topology look like? It would be much easier to answer I think.

--John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎11-19-2008

Per Cisco:

Explanation

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:

*

Loopback network (127.0.0.0)

*

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

*

The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

*Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

HTH,

--John

HTH, John *** Please rate all useful posts ***