We've been told that someone on our network is spoofing an IP Address. Is there anyway to track this down to a specific source server or even IP? We only have a simple Cisco 3560G router and a packet flow output (with source ip/port and dest ip/port) from the datacenter.
If it's not simple to do, can someone recommend a person/company who could look into this for us?
This is simply a top of the rack switch we have, which doesn't have netflow. Would it still be possible to trace back to source? or would we need information from the datacenter's routers.
I don't think your data centre will be able to help, assuming your 3560 is actually doing routing, as the mac address won't be exposed beyond the 3560. If you're just interested in blocking the traffic, you can just enable urpf as per here: http://www.cisco.com/web/about/secur...icast-rpf.html
If you actually want to determine who's doing the spoofing, it's going to be a bit time consuming given your network setup. As presumably all the servers are going straight into this 3560, there probably isn't a single trunk link you can sniff traffic on, so you're going to have to mirror the ports to the servers on an individual basis. If you have the ports to spare, and a machine with enough NICs, you could setup 2 or even more at a time also. Then just do a tcpdump on each NIC and match the spoofed IP address/range. If you're running VM's, also make sure you specify the -e option to print the link level header, so you can see the mac address of the VM as well.
ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet) MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet) Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami