Re: ip spoofed packets on a LAN, how to identify the source ?



Andre Rodier wrote:
Hello everybody,

I have about five servers behind a Cisco ASA, using local IP addresses, like 192.168.0.0/24, on a switch. The Cisco gives access to internal services using static NAT, by IP/ports.

[snip]

So, it's a local server that send IP spoofed packets, and try to bounce on my server ? Is this thing possible, and if yes, do you know a way to identify the machine. The MAC address of the source packets is false...

It's not a Linux question, but ...

Even if the source MAC is spoofed, too, you can sometimes look in the arp table on your switch (before it expires, so you have to be fast) to see what port is associated with the suspect MAC address.

BTW, if the packet is making it through the ASA, then the source MAC address you see on your server would be the MAC of the ASA. Make sure the MAC you think is spoofed isn't really the ASA.

If you're not the switch admin, then make him your buddy. He might have extra diagnostic tools that can help. It kind of depends on the switch and how much instrumentation your company have around it.
.