06-19-2009 07:52 AM - edited 03-04-2019 05:11 AM
We have a Juniper Firewall with the following:
Eth0/1 Trust (LAN) - 192.168.1.0/24
Eth1/0 DMZ - 172.20.0.0/28
Eth1/1 DMZ2 - 172.30.0.0/27
There is a Cisco Router on 192.168.1.200
We are seeing lot of IP Spoofing Traffic on the Juniper Firewall. On Investigation, we find that there is Broadcast traffic from 172.30.0.2, 3 & 4 to 172.30.0.31 on ports 137 & 138. This occurs in random sequence, but at regular intervals. However, the reason why it is IP Spoofing, because this traffic is generated from the trust zone (i.e. 192.168.1.0 side. When we did a packet trace, we found that the MAC on the Source IPs (172.30.0.2-4) was that of the Cisco Router. Cisco Router is connecting the Branch office (192.100.100.0/24) to HO. Cisco Router has static routes of 172.20.0.0 & 172.30.0.0 to allow BO PCs to access Servers in the DMZs. We need to further investigate and find the source of this Broadcast traffic. My query is, as I am not too familiar with the debug commands on the Cisco Router, how do I capture packets on Cisco Router, filtered on Source or Destination IP/Port. Also need further help in resolving the issue. Thanks in advance for any help.
06-20-2009 09:34 AM
Hi,
137&138 ports are used to transport Netbios over IP.
172.30.0.31 is what we call a directed broadcast and are filtered by default since 12.0:
You can verify if directed broadcast is enabled or not with the show ip interface:
Router# show ip interface g 0/3
GigabitEthernet0/3 is up, line protocol is up
Internet address is 10.1.1.1/16
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
...
It will not help you to identify which machine is generating this traffic but it will help to explain why the router is forwarding it.
If you have only one site behind the router, you should sniff the traffic on the LAN of this site directly. If there is a WAN connection used by this site to join the HO, capturing the traffic on the router will not help to identify the hosts.
HTH
Laurent.
06-20-2009 08:19 PM
Thanks Laurent. I have disabled IP Directed Broadcast on the Router Interface facing the Firewall. Still I see the broadcast traffic on the firewall. The idea to look at the traffic inside the router was to confirm that the origin of the traffic was indeed from the BO. Moreover, it was to broaden the understanding of how the internals of the router function. The Router in question is Cisco 1721 and IOS 12.4(1c).
06-21-2009 07:25 AM
AS a quick note, remember that the MAC of all traffic originating from that interface of that router will bear that interface's MAC address, regardless of the source IP address.
In order to track it back, you need to follow the source IP, and go interface-to-interface on the MAC (a show ip arp will give you an address-to-MAC map).
Every span will change the MAC to the source interface's MAC, but the source IP should be the same (although if it is an attack, it can be manipulated).
Good Luck
06-22-2009 12:22 AM
Thanks Scott. That the Cisco Router is not the originator of the spoofing traffic, is understood. However, I would like to peek into the traffic on the router, to trace the track of the traffic. What is unusual is that the source IP 172.30.x.x should not be seen from this zone. I just need to ascertain from the router, whether the traffic originates form the 192.100.100.x network or 192.168.1.x. Guess I need to capture traffic on the LAN segment to do that. I was hoping the Cisco Router would present me an easier way to find out.
06-22-2009 05:10 AM
Hi,
You can capture transit packets on the router but it has serious performance impact as you first need to fallback to process switching so it's at your own risk.
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide