IP source address spoofing

[billcart]

I am slightly aware of ip address spoofing... i am curious as to why i would see this on my logs in a caymen dsl router... to give an idea of my network to help with this staement/question... a cayman adsl router connected to a switch that shares a connection with my computers and another networks computers that backbone of a frac ds3... is it possible that the frac ds3 taffic is "bleeding" onto my network and causing problems?.?.!

[VictorKaum]

Your setup is not completly clear for me...? probably I missread somewhere...
you have an ADSL line with a router in between connected to a switch to share the same ADSL line, and you have a connection to a fractial ds3 backbone?
traffic bleeding onto your network, you suspect the traffic from the other private network to cause trouble in yours? They are not using the same adress range are they?

[billcart]

let me write it a little more clearly... there is an adsl connection that my network uses (3 win2k servers and a laptop) i connect to the adsl router through a switch... on that same switch there is a gnu/linux box that acts as somewhat of a proxy for another network... the linux box has two network cards and has an IP from my network (in order to gain internet access for a 192.168.. network) and the other nic uses an IP from the frac DS3... in my logs from the netopia adsl router there are ip address source spoofing alerts... see below for a log file view...

Security alert type : IP Source Address Spoofing
IP source address : 208.143.71.209
IP destination address : 224.0.0.251
Number of attempts : 6632
Time at last attempt : 239:15:52
IP Interface : ENET (10/100BT-LAN)

Security alert type : IP Source Address Spoofing
IP source address : 208.143.71.209
IP destination address : 239.255.255.253
Number of attempts : 26125
Time at last attempt : 239:14:40
IP Interface : ENET (10/100BT-LAN)

Security alert type : IP Source Address Spoofing
IP source address : 208.143.71.33
IP destination address : 224.0.0.251
Number of attempts : 83474
Time at last attempt : 239:16:59
IP Interface : ENET (10/100BT-LAN)

what do you think?!?

[Tiger Shark]

The 224.0.0.251 is a multicast broadcast address IIRC. The other one is too probably. The linux box is seeing the multicast broadcast and forwarding them. Your box is claiming sources as "spoofed" because they are not on it's own network and you haven't told it that the source network is associated to yours.

[billcart]

thanks TS... i was under that influence but wasnt sure...

[chsh]

Those are both broadcast addresses. If your router was logging the src/dest ports, you'd probably be able to figure out which service it was on those boxes that is sending the attempt, and then see where the boxes are situated. You didn't provide enough information on the IP range of those other networks for me to give you more than a passing suggestion as to what the source of the problem is.

From what you said:
(INTERNET) <----> [Netopia Router] <---> (Your Lan + Linux gateway)
Your lan has an address of 192.168.x.x.
Then it goes:
[Linux Gateway] <---> (F. DS3 LAN/WAN)

What is the LAN/WAN address of the machines past the linux gateway? Is it too supposed to be part of the 192.168.0.0/16 range? If it is I suggest you immediately look into the setup of that DS3 network, or get whomever is responsible for it to look into it.

This looks like you could fix it by implementing some simple filtering rules that I am frankly surprised a Netopia router doesn't ALREADY implement.

[billcart]

Network correction
(INTERNET) <----> [Netopia Router] <---> (Your Lan + Linux gateway)
my lan has an address of 68.94.x.x
Then it goes:
[Linux Gateway] <---> (F. DS3 LAN/WAN)
linux nic routes another network through my netopia that has a nic with one of my 68.94's wich proxies a 192.168.x.x/24 and additonal card that has an ip of 208.143.71.220/24 (from the F. DS3)

I think that the netopia doesn' t know what to do with the packets... the reason I'm qustioning that theory is the resent flood of attempts... they started a few weeks ago as 2-3 attepmts and they have sored recently to 20,000-90,000 attempts... curious i must say

[Tiger Shark]

IIRC, these multicast packets are used in many dases for streaming media so things like realplayer spew them forth at startup to determine if there are any local sources of streaming media. Sounds like people on the other network have installed an app that uses multicast broadcasts and that's why you see the recent flood of packets.

Is it possible to turn off broadcast forwarding either on the linux box or the Netopia? That would isolate you from the "storm" and it shouldn't affect the operation of your network.

[chsh]

It looks to me as though all the routers on the way have been configured to route multicast. You can disable this on the linux box by doing echo "0" > /proc/sys/net/ipv4/conf/eth?/mc_forwarding where ? is the device you want to disable it on. Alternately, you could NAT the packets and reset the source IP so it is valid and your Netopia stops complaining. I think the latter may be a better solution, however I doubt you will see any harm done by simply ceasing to route the mc packets..

PS: A /24 is the first three octets with the last octet variable, or 254 hosts. This would be 192.168.0.x, for example, but 192.168.x.x tends to indicate a /16, hence my previous mention of it.

[billcart]

PS: A /24 is the first three octets with the last octet variable, or 254 hosts. This would be 192.168.0.x, for example, but 192.168.x.x tends to indicate a /16, hence my previous mention of it.

sorry about the 192.168.x.x/24 it was a typo.... thnx for the help