Results 1 to 5 of 5

Thread: IP Spoofing

  1. #1
    Join Date
    Jul 2008
    Location
    New Zealand
    Posts
    1,208

    IP Spoofing

    We've been told that someone on our network is spoofing an IP Address. Is there anyway to track this down to a specific source server or even IP? We only have a simple Cisco 3560G router and a packet flow output (with source ip/port and dest ip/port) from the datacenter.

    If it's not simple to do, can someone recommend a person/company who could look into this for us?
    Last edited by bhavicp; 01-28-2014 at 03:36 PM.

  2. #2
    Join Date
    Aug 2004
    Location
    Dallas, TX
    Posts
    3,507
    You can simply drop traffic that isn't part of the subnets assigned, you can do it on the core or edge level. Here is a Juniper example of a vlan with rpf-check:

    unit 160 {
    family inet {
    rpf-check;
    address 113.117.166.161/29;
    }
    }
    Here is the cisco info: http://www.cisco.com/web/about/secur...icast-rpf.html
    Dallas Colocation by Incero, 8 years and counting!
    e: sales(at)incero(dot)com 855.217.COLO (2656)
    Colocation & Enterprise Servers, SATA/SAS/SSD, secure IPMI/KVM remote control, 100% U.S.A. Based Staff
    SSAE 16, SAS70, Redundant Power & Network, Fully Diverse Fiber

  3. #3
    Join Date
    Feb 2011
    Posts
    584
    In either case filter out outbound traffic to prevent any packets getting out from your edge that do not belong to your subnets. A simple firewall filter will do.

    As for tracing internal source of spoofed packets that depends on your internal topology.

  4. #4
    Join Date
    Jul 2008
    Location
    New Zealand
    Posts
    1,208
    Quote Originally Posted by DMDM View Post
    In either case filter out outbound traffic to prevent any packets getting out from your edge that do not belong to your subnets. A simple firewall filter will do.

    As for tracing internal source of spoofed packets that depends on your internal topology.
    This is simply a top of the rack switch we have, which doesn't have netflow. Would it still be possible to trace back to source? or would we need information from the datacenter's routers.

  5. #5
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by bhavicp View Post
    This is simply a top of the rack switch we have, which doesn't have netflow. Would it still be possible to trace back to source? or would we need information from the datacenter's routers.
    I don't think your data centre will be able to help, assuming your 3560 is actually doing routing, as the mac address won't be exposed beyond the 3560. If you're just interested in blocking the traffic, you can just enable urpf as per here:
    http://www.cisco.com/web/about/secur...icast-rpf.html

    If you actually want to determine who's doing the spoofing, it's going to be a bit time consuming given your network setup. As presumably all the servers are going straight into this 3560, there probably isn't a single trunk link you can sniff traffic on, so you're going to have to mirror the ports to the servers on an individual basis. If you have the ports to spare, and a machine with enough NICs, you could setup 2 or even more at a time also. Then just do a tcpdump on each NIC and match the spoofed IP address/range. If you're running VM's, also make sure you specify the -e option to print the link level header, so you can see the mac address of the VM as well.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

Similar Threads

  1. IP spoofing
    By duttyrock in forum Hosting Security and Technology
    Replies: 11
    Last Post: 02-22-2013, 01:06 AM
  2. IP Spoofing
    By patdaman45 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-06-2011, 03:55 AM
  3. Spoofing
    By UnitedPakistan in forum VPS Hosting
    Replies: 3
    Last Post: 01-05-2007, 08:48 PM
  4. Spoofing
    By af_newbie in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-01-2006, 11:04 AM
  5. Help. Is this IP spoofing ?
    By tipster in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-01-2004, 05:43 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •