MississippiGuardsman wrote: » What is the best way to track down an attempted IP Spoof? Noticed an attempted IP spoof logged on a firewall but the only info it lists is the IP and the MAC of the device the firewall is attached to. Do I need to get on the LAN segement and start wiresharking or is there a better way?
instant000 wrote: » Was it something external, with an internal source address, or something internal? If external ... you're kinda SOL, and it could just be the simple logic that if something external comes through bearing the source address of an internal host, it should be denied. (you usually see similar such rules for e-mail addresses.) This is the type of default rule that you leave on. If internal, you should be able to trace back through via the MAC, through a series of arps, and trace back through switchports until you get to the source host . (Of course, if someone's spoofing an IP, they could spoof a MAC, or ... you have a compromised host internally.) Let us know what you find out (if you won't violate company NDA by doing so). EDIT1: in this case, i'm referring to external as network outside your firewall (high security), versus internal as the network inside your firewall (lower security) EDIT2: Just considered that you could have multiple or layered DMZ's, such that it could be equipment that you own, that is also on the "external" side of the firewall, that you could track down as the source of the traffic.
MississippiGuardsman wrote: » I've gone through the ARP tables but this is a very large router and there are many IP addresses tied to the same MAC...however, none of them match the IP reported in the firewall. We've got a NAM in that router so I think i'm going to do some captures and see what I come up with.
