Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spoofed Source Address???

Status
Not open for further replies.
sgscit

sgscit

Technical User
Nov 18, 2002
134
AU
Hi Guys,

anyone know how to fix this?

19/03/03 09:15 firewalld[98]: deny out eth1 328 udp 20 128 172.153.9.9 255.255.255.255 67 68 (spoofed source address)

Thanks,

Pete
[morning]

ps:172.153.9.9 is not the real IP :)
 
Sort by date Sort by votes
well I know exactly which server the spoofing is coming from, I just don't know how to get rid of it. It is creating traffic to the firewall at about 10 times greater than that of the Internet traffic.

What do I need to change (probably on the server) to stop these messages being produced?
 
Upvote 0 Downvote
The traffic is being generated on the side of your trusted interface. If the trusted interface does not know about that network, it will consider it to be spoofed.

Can I assume this is not really a public IP on your trusted interface?
 
Upvote 0 Downvote
Tell us a little bit more about the box that is generating all this "spoofed" traffic.
 
Upvote 0 Downvote
The ip's are valid IP's. The subnet mask is valid.
Both ethernet adaptors on the server or sending out spoofed addresses.

The IP's are registered in DNS on our network, and I can connect via terminal services to the server, ping, nslookup etc

Could it be a routing table issue? I have been trying to set the machine up as a router (without much success)but to try and pinpoint this issue have turned off RRAS.

by public IP do you mean a 10. 172. or 192. IP address?
If so, yes it is one of those. The FB then NAT's it to our Internet IP.

Thanks.

Pete
[morning]
 
Upvote 0 Downvote
It sounds like it may be an issue with routing. Do your NICS have more than one IP address assigned to them? If so, are any of the IP addresses the same IP address you are seeing in your logs as a spoofed source address?
 
Upvote 0 Downvote
The IP addresses are correct, but I don't know why the mask is being changed to 255.255.255.255

The nics only have 1 IP each with a 255.255.255.0 mask.

I turned off RRAS yesterday (it is still off) to see if that would help but it did not stop the spoofing.

thanks.

Pete
 
Upvote 0 Downvote
You said the mask is being changed to a /32. I assume this should be a /24. Also, are both NICs configured with IPs from the same subnet?

Last question (for now), these are static IPs?
 
Upvote 0 Downvote
IP's are x.x.1.38 & x.x.2.1 on two separate nics. Both are static.

When I do an IPCONFIG /all it displays them correctly, but the firewall displays them as spoofed with a mask of /32
 
Upvote 0 Downvote
OK - so both IPs (x.x.1.38 and x.x.2.1) show as spoofed in the FB logs? Are either the x.x.1 subnet or the x.x.2 subnet, subnets that are defined on the FB trusted interface (probably as secondary networks)?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
739
Sameer258
Sameer258
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
155
brownmab53
brownmab53
danstaunton
  • Locked
  • Question
Change of VPN peer IP address - Cisco 877
Replies
0
Views
76
danstaunton
danstaunton
brk1221
  • Locked
  • Question
Change multiple addresses on an ASA 5510
Replies
5
Views
180
iggsterman
iggsterman
s020822
  • Locked
  • Question
Access to WAN IP Address fron inside network
Replies
0
Views
66
s020822
s020822

Part and Inventory Search

Sponsor

Back
Top