How to Find Source of Fake IP

ahmad82pkn · ‎05-28-2013

Hi, my router is hit by Fake traffic from IP 10.10.101.33

i can see it in my accounting packets.

10.10.101.33 doesnt exist in my LAN, its not a valid IP.

sh ip route 10.10.101.33

% Subnet not in table

Default route goes to Cisco ASA.

How can i find out MAC of this IP or any other way to find out where this IP belong in my LAN.

thats what i see in accounting.

and on firewall, all i see is SYN packets coming from inside and going to outside.

sh ip accounting | i 10.10.101.33

10.10.101.33 125.113.240.185 1 48

10.10.101.33 221.173.218.239 1 48

10.10.101.33 125.113.240.186 1 48

10.10.101.33 221.173.218.231 1 48

10.10.101.33 125.113.240.179 1 48

10.10.101.33 221.173.218.254 1 48

10.10.101.33 221.173.218.255 2 96

10.10.101.33 221.173.218.247 1 48

10.10.101.33 125.113.240.162 2 96

10.10.101.33 125.113.240.155 1 48

10.10.101.33 125.113.240.147 1 48

10.10.101.33 125.113.240.148 1 48

10.10.101.33 125.113.240.136 2 96

10.10.101.33 125.113.240.137 4 192

10.10.101.33 125.113.240.138 1 48

10.10.101.33 221.173.219.142 2 96

10.10.101.33 221.173.219.141 2 96

10.10.101.33 125.113.240.209 2 96

10.10.101.33 221.173.219.133 1 48

10.10.101.33 125.113.240.211 2 96

10.10.101.33 221.173.219.157 2 96

10.10.101.33 125.113.240.194 1 48

10.10.101.33 221.173.219.109 1 48

10.10.101.33 221.173.219.108 2 96

10.10.101.33 125.113.240.52 1 48

10.10.101.33 125.113.240.53 1 48

10.10.101.33 125.113.240.43 1 48

10.10.101.33 221.173.219.118 1 48

10.10.101.33 221.173.219.117 2 96

10.10.101.33 221.173.219.94 2 96

10.10.101.33 221.173.219.93 2 96

10.10.101.33 221.173.219.86 1 48

10.10.101.33 125.113.240.120 1 48

10.10.101.33 125.113.240.121 1 48

10.10.101.33 221.173.219.46 2 96

10.10.101.33 125.113.240.112 1 48

10.10.101.33 125.113.240.113 1 48

10.10.101.33 221.173.219.38 2 96

10.10.101.33 125.113.240.104 2 96

10.10.101.33 125.113.240.105 1 48

10.10.101.33 221.173.219.54 2 96

10.10.101.33 221.173.219.15 2 96

10.10.101.33 125.113.240.79 1 48

10.10.101.33 221.173.219.23 1 48

10.10.101.33 125.113.240.70 1 48

10.10.101.33 125.113.240.71 1 48

Logs on Cisco ASA

sh conn long | inc 10.10.101.33

TCP OUTSIDE:39.152.53.111/3306 (39.152.53.111/3306) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:39.152.53.111/1433 (39.152.53.111/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:39.152.53.110/135 (39.152.53.110/135) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:39.152.53.110/3306 (39.152.53.110/3306) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:121.14.53.120/1433 (121.14.53.120/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:39.152.53.110/1433 (39.152.53.110/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:222.72.1.181/135 (222.72.1.181/135) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:121.14.53.119/6673 (121.14.53.119/6673) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

TCP OUTSIDE:39.152.53.109/6667 (39.152.53.109/6667) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0

Bilal Nawaz · ‎05-28-2013

Try having a look in the arp table.

Show arp | inc x.x.x.x

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Andras Dosztal · ‎05-28-2013

Once you have the MAC address using what Bilal wrote, enter "show mac address-table xxxx.xxxx.xxxx" to find the interface it's connected to.