Tracing IP Spoofing

vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
in CCNP
What is the best way to track down an attempted IP Spoof? Noticed an attempted IP spoof logged on a firewall but the only info it lists is the IP and the MAC of the device the firewall is attached to. Do I need to get on the LAN segement and start wiresharking or is there a better way?
Cisco was my first networking love, but my "other" router is a Mikrotik...
· Share on FacebookShare on Twitter

Comments

  • instant000instant000 Member Posts: 1,745
    MississippiGuardsman wrote: »
    What is the best way to track down an attempted IP Spoof? Noticed an attempted IP spoof logged on a firewall but the only info it lists is the IP and the MAC of the device the firewall is attached to. Do I need to get on the LAN segement and start wiresharking or is there a better way?

    Was it something external, with an internal source address, or something internal?

    If external ... you're kinda SOL, and it could just be the simple logic that if something external comes through bearing the source address of an internal host, it should be denied. (you usually see similar such rules for e-mail addresses.) This is the type of default rule that you leave on.

    If internal, you should be able to trace back through via the MAC, through a series of arps, and trace back through switchports until you get to the source host .

    (Of course, if someone's spoofing an IP, they could spoof a MAC, or ... you have a compromised host internally.)

    Let us know what you find out (if you won't violate company NDA by doing so).

    EDIT1: in this case, i'm referring to external as network outside your firewall (high security), versus internal as the network inside your firewall (lower security)
    EDIT2: Just considered that you could have multiple or layered DMZ's, such that it could be equipment that you own, that is also on the "external" side of the firewall, that you could track down as the source of the traffic.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    instant000 wrote: »
    Was it something external, with an internal source address, or something internal?

    If external ... you're kinda SOL, and it could just be the simple logic that if something external comes through bearing the source address of an internal host, it should be denied. (you usually see similar such rules for e-mail addresses.) This is the type of default rule that you leave on.

    If internal, you should be able to trace back through via the MAC, through a series of arps, and trace back through switchports until you get to the source host .

    (Of course, if someone's spoofing an IP, they could spoof a MAC, or ... you have a compromised host internally.)

    Let us know what you find out (if you won't violate company NDA by doing so).

    EDIT1: in this case, i'm referring to external as network outside your firewall (high security), versus internal as the network inside your firewall (lower security)
    EDIT2: Just considered that you could have multiple or layered DMZ's, such that it could be equipment that you own, that is also on the "external" side of the firewall, that you could track down as the source of the traffic.

    I've gone through the ARP tables but this is a very large router and there are many IP addresses tied to the same MAC...however, none of them match the IP reported in the firewall. We've got a NAM in that router so I think i'm going to do some captures and see what I come up with.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • instant000instant000 Member Posts: 1,745
    MississippiGuardsman wrote: »
    I've gone through the ARP tables but this is a very large router and there are many IP addresses tied to the same MAC...however, none of them match the IP reported in the firewall. We've got a NAM in that router so I think i'm going to do some captures and see what I come up with.

    EDIT: Just realized that you said nothing you currently see matches the IP reported in the firewall ... can't track it without evidence of where it is, LOL. This goes back to the original idea of spoofed, meaning that someone from Canada is trying to get in by attempting to pretend that their source IP is inside your network. (Note: I have nothing against Canada, except for their calling ham "bacon")

    Many IP addresses attached to the same MAC would mean many IP's coming through the same interface. (think trunk ports between switches)

    You should be able to track this through your equipment (sh cdp, sh arp, wash, rinse, repeat) ... heck, did a traceroute find it already? Just look there.

    If it's within your control, you should be able to find the source of the traffic.


    Hope this helps.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.