ip spoofed packets on a LAN, how to identify the source ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello everybody,

I have about five servers behind a Cisco ASA, using local IP
addresses, like, on a switch. The Cisco gives access to
internal services using static NAT, by IP/ports.

The three first ones, on windows, have been installed before I came. The
two other ones are linux servers, with kvm installed, and the network
connection with virtual machine use bridges.

I have a virtualised mail server, and the Cisco make static NAT on ports
993 and 25 on this server. If I try to access another port from an
external IP, the connection is refused, which is normal.

Because I don't trust other machines already in place, I have temporary
added a software firewall on it. It's a simple linux mail server, and the
firewall is iptables. The input/output/forward policies are set to log
and drop.

However, I receive on this internal interface packets that "seems" come
from external addresses, for instance source is, and
destination port is 8000.

I think the Cisco doesn't left enter IP spoofed packets on the external

So, it's a local server that send IP spoofed packets, and try to bounce
on my server ? Is this thing possible, and if yes, do you know a way to
identify the machine. The MAC address of the source packets is false...

Thanks for any idea you have.

Re: ip spoofed packets on a LAN, how to identify the source ?

Andre Rodier wrote:
Quoted text here. Click to load it

It's not a Linux question, but ...

Even if the source MAC is spoofed, too, you can sometimes look in the
arp table on your switch (before it expires, so you have to be fast) to
see what port is associated with the suspect MAC address.

BTW, if the packet is making it through the ASA, then the source MAC
address you see on your server would be the MAC of the ASA.  Make sure
the MAC you think is spoofed isn't really the ASA.

If you're not the switch admin, then make him your buddy.  He might have
extra diagnostic tools that can help.  It kind of depends on the switch
and how much instrumentation your company have around it.

Re: ip spoofed packets on a LAN, how to identify the source ?

On Mon, 26 May 2008 01:32:41 -0500, Allen Kistler wrote:

Quoted text here. Click to load it

Thank you for your help, even if this list is not the best appropriate. I
just wanted to know if a tool for tracing spoofed packets exists on
Linux, but I think it's impossible.

The mac is not the cisco one, that I have already tried.

I'll do what you have says about the switch arp table.

Thank you again.

Site Timeline