IP spoofing from untrust interface

  • Hi

    Following is the log that I gather from debug log:

    ****** 4677450.0: <untrust 0="" ethernet0="">packet received [391]******
      ipid = 0(0000), @032b5a30
      packet passed sanity check.
      ethernet0/0:>,17 <root>no session found
      flow_first_sanity_check: in <ethernet0 0="">, out <n a="">[ Dest] 9.route>, to bgroup0
      packet dropped, drop by spoofing check. is local network machine. Port 1900 is SSDP (system state discovery protocol) and is broadcast address for it.

    Looking at the log it seems that traffic is coming from outside with our local machine IP ( and then going out again (….

    I am new to Juniper devices…Is there any with explanation and how do I stop it happening?

    Cheers !</n></ethernet0></root></untrust>

  • Thanks kcullimo

    I will try that…ADSL modem (bridge mode) is connected directly connected to ETH0/0

    Cheers !

  • Engineer

    something similar to

    snoop filter ip src-ip dst-ip src-port 1900 dst-port 1900 ip-proto 17 interface eth0/0 direction incoming

    should cover it.

    Compare the source mac address of the matching packets to the one contained in the arp response received on bgroup0 for the proxy server. You’ll probably need to check the configuration of the device directly connected to eth0/0.

  • Thanks Kcullimo,

    But can you please tell what filter should I be creating to find problem?

    Just for more information, <untrust 0="" ethernet0="">is also binded to unumbered tunnel interface. That tunnel interface is used for four different vpns as well.

    I found following when using debug command:

    ****** 4843930.0: <trust bgroup0="">packet received [48]******
      ipid = 21159(52a7), @033e6f30
      packet passed sanity check.
      bgroup0:>,6 <root>no session found
      flow_first_sanity_check: in <bgroup0>, out <n a="">[ Dest] 9.route>, to bgroup0
      chose interface bgroup0 as incoming nat if.
      flow_first_routing: in <bgroup0>, out <n a="">search route to (bgroup0,> in vr trust-vr for vsd-0/flag-0/ifp-null
    PBR lookup params: dst-ip:, src-ip:, dst-port: 80, src-port: 1900, protocol: 6, dscp: 0
      [PBR route] 38.route>, to ethernet0/0
      routed (x_dst_ip from bgroup0 (bgroup0 in 0) to ethernet0/0
      policy search from zone 2-> zone 1
    policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip, port 80, proto 6)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 123/23/0xd
      Permitted by policy 123
      dip id = 2,>our-public-ip-address/1265
      choose interface ethernet0/0 as outgoing phy if
      no loop on ifp ethernet0/0.
      session application type 6, name HTTP, nas_id 0, timeout 300sec
      service lookup identified service 0.
      flow_first_final_check: in <bgroup0>, out <ethernet0 0="">existing vector list 313-3db751c.
      Session (id:7991) created for first pak 313
      route to
      bypass L2 prepare if, nsp ready.
      ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10002800, tunnel ffffffff, rc 1
      outgoing wing prepared, ready
      handle cleartext reverse route
      search route to (ethernet0/0,> in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
      [ Dest] 9.route>, to bgroup0
      route to
      arp entry found for
      ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
      flow got session.
      flow session id 7991
      adjust tcp mss.
      tcp seq check.
      Got syn,>, nspflag 0x801801, 0x10002800
      post addr xlation: our-public-ip-address->
      update policy out counter info.
      send out through normal path.
      flow_ip_send: 52a7:our-public-ip-address->,6 => ethernet0/0(48) flag 0x0, vlan 0
      send packet to traffic shaping queue.
      flow_ip_send: 52a7:our-public-ip-address->,6 => ethernet0/0(48) flag 0x20000, vlan 0
    pak has mac
      Send to ethernet0/0 (70)

    Please note is also a proxy server.

    Cheers !</ethernet0></bgroup0></n></bgroup0></n></bgroup0></root></trust></untrust>

  • Engineer

    It matters that the destination address is actually multicast, as that type of routing is handled by separate mechanisms. Is it possible that your default  route is configured to forward traffic out another interface? You can determine if the 192.168 address is sharing a broadcast domain with your untrust interface by inspecting either the arp entry or enabling snoop (filtering for that specific flow) and reviewing the L2 header.

  • Sorry Marty….It may sound weird but I can’t disable IP Spoofing and paste configuration file here.

    If anyone know why I am receiving packet with Private IP then it will be really appreciated.

    Cheers !

  • Why is the packet being received on the external interface with a Private IP address.

    Dont know what is the topology of your network, but if you want to get rid of this then you might have to disable IP Spoofing from your external Zone.

    unset zone “Untrust” screen ip-spoofing

    But deal this with precaution.

    If you still face an issue paste your ‘get conf’ output here.