IP spoofing

  • Hi,
    i have a SSG550. and there is a wierd message.

    IP spoofing! From <src-ipaddress>:2667 to <dst-ipaddress>:162, proto UDP (zone DMZ, int ethernet0/0). Occurred 7 times.

    actually the source address is the DMZ’s IP address interface.

    why it appear as IP spoofing?
    anybody know what cause this?</dst-ipaddress></src-ipaddress>

  • Global Moderator


    this logs shows two things:

    1 your firewall doesn’t like ip arriving at int bgroep1. Try this:
    get route ip and see where from, looking at the routing table, it should be arriving.
    Same for on bgroup0

    2 The last line is something else: You configured a maximum sessions to a dst in zone trust, and to destination this limmit is reached.

  • I also have these logs too

    IP spoofing! From to, proto UDP (zone DMZ, int bgroup1). Occurred 1 times.
    IP spoofing! From to, proto UDP (zone DMZ, int bgroup1). Occurred 1 times
    IP spoofing! From to, proto UDP (zone Trust, int bgroup0). Occurred 4 times.
    Dst IP session limit! From to, proto TCP (zone Trust, int bgroup0). Occurred 1 times.

    I have these logs full of. is it means that there is virus in my network?

  • Engineer is a multicast address. It basically means “all hosts” on the network.

    It could be a misconfigured router sending multicast where it shouldn’t…oor something more malicious.

  • I am also getting IP spoofing.
    IP spoofing! From to, proto 2 (zone Untrust, int ethernet0/2). Occurred 1 times.

    1.107 is my adsl modem which is in bridge mode.

    My version is : 5.4.0r8.0

  • I believe that this was an issue resolved in 5.4.0r7 or later. Try upgrading to the latest which is 5.4.0r8. In the release notes for 5.4.0r8, there were a couple of IP spoofing issues reported.

  • the software is 5.4r5.

    thanks alot for your explanation. i’m going to find out the solution.

    best regards,
    billy lukas jubilee. :lol:

  • Global Moderator

    Tim is describing spoofing very cleary and accurate! I like to add one thing. As you all can read a spoofing detection means a packet is arriving at an interface while there’s a destination route to the source over another interface. The thing to do here is run a “get route ip <src ip=”">". This will show wich interface on the firewall confiigured for the route. You then can correct the routing. One idea is to set a (/32) static route to the interface the packet is arriving on.</src>

  • Engineer

    IP spoofing is caused when the firewall receives an IP from a source in which it knows to exist else where…

    An example of this is a simple Trust - Untrust type firewall. Trust being the internal lan and untrust being the internet.

    For the sake of this example Trust is 192.168.1.x and Untrust is obviously the public internet.

    Now the firewall will report a spoof when it recieves a packet with a source of 192.168.1.x IN the untrust interface (from the internet)

    The firewall basically says, hey…my route table says 192.168.1.x is in the trust zone… not the untrust zone. This must be a spoofed packet and drops it at a screen level.

    Spoofed packets are packets in which the source IP header has been altered to mask the real source, to get around firewall policies or general network probes/attacks. It’s a common type of attack and is a very common screen hit. If the spoofs are false positives take a look at the routing table and ensure that it has a return route for those sources (aka…let the firewall know 192.168.2.x exists off of the DMZ zone)

    I hope this helps, I tried to make it as basic as possible and explain it from the ground up.

    Tim Eberhard

  • What ScreenOS version are you running? UDP 162 is normally an SNMP trap.