HomeIP Spoof Attack events in firewall
Page 1 of 1
IP Spoof Attack events in firewall
Sarath Nambiar Thu Feb 17, 2011 9:07 pm
What is an IP Spoof Attack? 
--------------------------------------------------------------------------------
Summary:
What is an IP Spoof Attack?
Solution by Juniper
This article applies to ScreenOS 4.0 and higher.
One method of attempting to gain access to a restricted area of the network is to insert a bogus source address in the packet header to make the packet appear to come from a trusted source. This technique is called IP spoofing. NetScreen has two IP spoofing detection methods, both of which accomplish the same task: determining that the packet came from a location other than that indicated in its header. The method that a NetScreen device uses depends if it is operating at Layer 3 or Layer 2 in the OSI model.
Layer 3: When interfaces on the NetScreen device are operating in Route or NAT mode, the mechanism to detect IP spoofing relies on route table entries.
Layer 2: When interfaces on the NetScreen device are operating
Recommendation from us:
Most Common reason for IP Spoof events in Netscreen Firewall is due to changes in route tables or receiving of packets at wrong interface.
Check with Network team if route table was changed or packet was received at a Interface with no proper route table enetries
available for the packet. Since the packet was received at invalid interface with no proper route / reverse route enetries
for the particular source address firewall concluded the IP was spoofed and possibly discarded the connection.
An event " invalid route error" event will be trigered during this time along with IP Spoof events
Example
:Firewall-Name: NetScreen device_id=FWALL-FW1 [Root]system-notification-00625: Session (id 1993969 src-ip 10.x.x.x dst-ip 10.x.x.x dst port 27842) route is invalid. (2010-12-24 07:26:29)
Aslo Note IP Spoof attack alert from firewalls with detsination IP (224.0.0.5 ) – OSPF, Open Shortest Path First Routing Protocol ) are False possitives. This can also trigger ARP Poisoning alarm.
For More , Please visit my new forum
--------------------------------------------------------------------------------
Summary:
What is an IP Spoof Attack?
Solution by Juniper
This article applies to ScreenOS 4.0 and higher.
One method of attempting to gain access to a restricted area of the network is to insert a bogus source address in the packet header to make the packet appear to come from a trusted source. This technique is called IP spoofing. NetScreen has two IP spoofing detection methods, both of which accomplish the same task: determining that the packet came from a location other than that indicated in its header. The method that a NetScreen device uses depends if it is operating at Layer 3 or Layer 2 in the OSI model.
Layer 3: When interfaces on the NetScreen device are operating in Route or NAT mode, the mechanism to detect IP spoofing relies on route table entries.
Layer 2: When interfaces on the NetScreen device are operating
Recommendation from us:
Most Common reason for IP Spoof events in Netscreen Firewall is due to changes in route tables or receiving of packets at wrong interface.
Check with Network team if route table was changed or packet was received at a Interface with no proper route table enetries
available for the packet. Since the packet was received at invalid interface with no proper route / reverse route enetries
for the particular source address firewall concluded the IP was spoofed and possibly discarded the connection.
An event " invalid route error" event will be trigered during this time along with IP Spoof events
Example
:Firewall-Name: NetScreen device_id=FWALL-FW1 [Root]system-notification-00625: Session (id 1993969 src-ip 10.x.x.x dst-ip 10.x.x.x dst port 27842) route is invalid. (2010-12-24 07:26:29)
Aslo Note IP Spoof attack alert from firewalls with detsination IP (224.0.0.5 ) – OSPF, Open Shortest Path First Routing Protocol ) are False possitives. This can also trigger ARP Poisoning alarm.
For More , Please visit my new forum
Sarath Nambiar- Posts : 2
Join date : 2010-12-31
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|