Hello Everyone,

This is my first thread on this forum!

I am sometimes getting some attempts from people to hack into our company network (or what seems like it). So far, my IPS has prevented this and warned me that they are trying to spoof their IP address.

When I have a look at the logs, I see that someone is trying to pretend to be our perimeter router (with our external address) and is trying to use this method to gain access to the computers inside our network.

I was wondering if anyone knows how to trace a spoofed IP packet to its real source. My thoughts are that you would have to sniff packets and watch which routers it is coming through......but I'm wondering if anyone has a good method, good tools or good ideas to help me track down these people.

Thankyou

Welcome to LQ.

I think contacting your ISP and working with them to identify the source i probably the best option. I don't think you'll get much out of sniffing packets, as you'll really only be able to see up to a hop away (probably your ISPs upstream router). So any MACs that you sniff will be from the router. If the attacker were within a hop it would be usefull, but that's probably unlikely. Looking at the ttl of the packets can probably rule out whether that's true or not (though that's forgeable also).

That being said, you should definitely have some form of spoofing protection on your perimeter firewall. You absolutely need to filter packets coming into the external interface with forged internal IPs. You'll never see these for legitimate reasons and they should be dropped outright (possibly logged) as well.

Thankyou, that was explained very well.

Yes, I forgot about the MAC address being that of the last hop.

The Perimeter Intrusion Prevention System does silently block IP spoofing and has so far done a good job of it...and all dropped packets are logged (syslog) so I can look up the logs if anything suspicious is happening.

Actually, on the subject of IPS, I'm setting up a FreeBSD box to serve web pages to an internal network, and I was wondering if some people could give some tips and tricks on setting up a secure multi-layered IPS with good logging.

I know about snort_inline....is this a good first step?

Have you seen any portscans, protocol mapping, traceroutes?

If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle. Enforce security restrictions to make other employees aware of the risks of using the company's passwords on the web, etc.
If you're using a company's webmail, use SSL. Never use pop3, imap, plain http, telnet, ftp, etc..

With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.

Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?

Deny any incoming ICMP redirects, router advertisements and solicitations. Is your route to your ISP static?
If it is, then tighten your firewall to only accept routing related traffic from this IP only

If these crackers use an intermediate router, they could spoof some addresses at will and see the replies, sniff traffic, and perform man in the middle.
The source IP is their external address, so unless the attacker is doing some kind of source route fscking then the replies aren't going back out through an intermediate router. Plus likelihood of a backbone router being compromised is not very good (assuming it's non-cisco ^_^).

With ping, hping, traceroute, tcptraceroute and some patience you may try to figure which addresses are being spoofed because of their TTL. They show you the intermediate routers as well.
Again if the source is yours, then it won't show you much except how far you are from your own perimeter router with the IP they're forging. Even if it was remote IPs, verifying that the number of reply hops corresponds to the incoming packets ttl is going to problematic at best (think people with proxys that re-write ttls for legitimate reasons) or just chance that the reply takes a different path with +/- 1 hop. Something like tcpcookies would help, but only for a large number of spoofed connection attempts.

Why your ISP haven't filtered the spoofed source in the first place?
Or were they cracked?
Most don't. That's why spoofing is still a common occurance on the internet. Even obviously forged packets like smurf/fraggle still work.

Yeah, I was just talking about the possibly spoofed addresses in the case there were traceroutes, portscans, etc... I bet they tried these first

There are routers in many many places. Also, if the router shares an Ethernet segment, some sniffing + spoofing (+ perhaps some ARP poisoning) could make the trick. Note that it isn't even necessary to compromise one if the victim's routing table may be touched.

Mabey the only other way to trace a spoofed IP over the internet would be to have a widely spread zombie network that could packet capture on different parts of the internet and 'report back to base' as it were - and this isn't so uncommon.

And I guess that would require you to do some hacking of your own. Mabey even write a small IRC bot in assembly like Steve Gibson did too....that would glean information on any planned attacks or some script kiddie bloating.

A network of zombies to protect us from another zombies? No, thanks...
Currently, there's Carnivore and Echelon "to protect and to serve"

Steve Gibson's wishes are inversely proportional to his real skills.
Maybe raw sockets + assembly is too much to him

http://grcsucks.com/

Ah, I see. I wont go there then.

Really, ISP's may do a better job. They have the infrastructure. There exists the information