Re: ip spoofed packets on a LAN, how to identify the source ?



On Mon, 26 May 2008 01:32:41 -0500, Allen Kistler wrote:

Andre Rodier wrote:
Hello everybody,

I have about five servers behind a Cisco ASA, using local IP addresses,
like 192.168.0.0/24, on a switch. The Cisco gives access to internal
services using static NAT, by IP/ports.

[snip]

So, it's a local server that send IP spoofed packets, and try to bounce
on my server ? Is this thing possible, and if yes, do you know a way to
identify the machine. The MAC address of the source packets is false...

It's not a Linux question, but ...

Even if the source MAC is spoofed, too, you can sometimes look in the
arp table on your switch (before it expires, so you have to be fast) to
see what port is associated with the suspect MAC address.

BTW, if the packet is making it through the ASA, then the source MAC
address you see on your server would be the MAC of the ASA. Make sure
the MAC you think is spoofed isn't really the ASA.

If you're not the switch admin, then make him your buddy. He might have
extra diagnostic tools that can help. It kind of depends on the switch
and how much instrumentation your company have around it.

Thank you for your help, even if this list is not the best appropriate. I
just wanted to know if a tool for tracing spoofed packets exists on
Linux, but I think it's impossible.

The mac is not the cisco one, that I have already tried.

I'll do what you have says about the switch arp table.

Thank you again.
andre.
.



Relevant Pages

  • Re: scan for machines in the subnet
    ... (no need to copy MAC addresses between leases files and config files). ... but which port on which switch). ... each manually configured server, ... Our printers change names when a new model is received (which generally ...
    (comp.os.linux.networking)
  • Re: ip spoofed packets on a LAN, how to identify the source ?
    ... So, it's a local server that send IP spoofed packets, and try to bounce on my server? ... Even if the source MAC is spoofed, too, you can sometimes look in the arp table on your switch to see what port is associated with the suspect MAC address. ... BTW, if the packet is making it through the ASA, then the source MAC address you see on your server would be the MAC of the ASA. ...
    (comp.os.linux.security)
  • Re: Apple/Macs for the Army
    ... site is now being served by StarNine's WebSTAR Server Suite software ... Windows NT-based Web server. ... they decided to switch to WebSTAR on the Mac OS. ... The Army's switch was also to move to the WebSTAR Server Suite 4.0, ...
    (comp.sys.mac.advocacy)
  • Re: A cross-platform vision for Delphi
    ... It's not only the hardware and the option of running Windows, Mac OSX ... On the Server side, the licensing issues make running a Linux server ... If I had disposable funds to do so, I'd switch today. ...
    (borland.public.delphi.non-technical)
  • Re: ConnectComputer Problem
    ... I'm a little confused by your network configuration. ... Switch2 --- SBS Server ... switch has internet access all the time, the second switch has the client ... NICs ...
    (microsoft.public.windows.server.sbs)