Search this Blog

Saturday, July 24, 2010

ASA capture utility / IP spoof- How do we identify the offending host?

We have received couple of notifications from ASA regarding IP spoof attempts:

:Jul 21 14:06:56 EDT: %ASA-session-2-106016: Deny IPspoof from (127.0.0.1) to 64.x.x.x on interface inside

We wanted to get some more info to eliminate any infected clients on out internal network. Did a research in cisco forum and configured access list to capture suspicious traffic:

ciscoasa(config)#access-list incap permit ip host 127.0.0.1 any
ciscoasa(config)#access-list incap permit ip any host 127.0.0.1
ciscoasa(config)#capture incap access-list incap interface inside

Here's the result of the "show capture incap":

6 packets captured

1: 12:13:25.984049 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840
2: 12:13:28.975047 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840
3: 12:16:45.147239 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840
4: 12:16:48.137764 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840
5: 14:06:53.636197 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840
6: 14:06:56.629789 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840
6 packets shown.

How can we identify the offending host on our inside network? Also the x-ed public IPs point to one of the local businesses and seems that it's their totally unsecured IIS server.Should we contact the IT department?

Tips:

  • Try looking at the MAC address of the offender and tracing it back through your switch to find out what machine it is coming from. Depending on your environment though (for example, if the host is a wireless client), this might not be too helpful. If the attacker can spoof their IP address, they could also be spoofing their MAC address.
  • If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.
  • Either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */