This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-12-14 12:47 PM

Meaning of Address Spoofing

Hello, everybody.

I have a curiosity about "Address Spoofing".
It is clear to me that when the log shows you a "DETECT" action, the traffic is "allowed", but is it important to "check" the reason for this traffic?

SPO1.png

Having this type of logs, can give us "indications" of "Networking" problems in the network of a company?

I want to communicate to IP:172.23.12.5 with IP:172.23.3.21, but there is no traffic registered in the CP.

I have policies, I have routes, I have tried with "TCPDUMP" "CPPCAP" "FW MONITOR", but none of these tools show me traffic, when traffic is generated (a simple PING, or a Telnet to any port).

When I "search" in the logs for the origin with IP:172.23.12.5, I only get irrelevant traffic to "other IPs" that have nothing to do with my target.

Could this be a routing problem?

Cheers :).

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2023-12-14 01:02 PM

It could be, but check out what I attached.

Andy

Preview file
39 KB
Preview file
86 KB
Preview file
42 KB
Lloyd_Braun
Collaborator
‎2023-12-15 11:46 AM

Absolutely that looks like a routing problem. It appears to be the reply traffic that is triggering anti-spoofing because the source port and destination port are inverted in the logs.  So a device out on bond2.303 is sending traffic with a destination of 10.10.100.1 back to the firewall.  I am guessing the firewall just routed that packet with a destination of 172.23.12.5:80 out that bond2.303 interface. Could be something else going on though. Potential ICMP redirects flying around but you would see that in pcap. Could be post NAT if that packet was previously NATted. 

 

log filters of

xlatesrc:10.10.100.1 or s_port:58432 or xlatesport:58432

or some combination of that may help you find the initial request that the packet triggering anti-spoofing is replying to, that is assuming the request went through the firewall, may be some async routing going on where the firewall is only catching that reply

Matlu
Advisor
‎2023-12-19 09:53 AM
In response to Lloyd_Braun

Hello,

I have a dilemma with "certain" types of traffic and Antispoofing messages.

Source: 172.23.12.5
Destination: 172.23.3.21, 172.23.3.20
Service (Test): ICMP

AP3.pngAP2.pngAP1.png

I have made attempts to capture traffic, with "tcpdump" "cppcap" "fw monitor" "fw ctl zdebug" and the active "Firewall" of my ClusterXL is not able to "capture" anything, when traffic is generated with a simple PING.

When I just filter in the logs, the source IP, I do get "data" but to my perception, it is "junk data", because it is nothing of what I am trying to capture.

The only thing I see "relevant" when I filter only the ORIGIN, is that all the logs I see, most of them, "emphasize" an Address spoofing issue and I am not sure, if it is an important point to take into account, for my analysis.

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2023-12-19 10:00 AM
In response to Matlu

I think filter might be slightly off bro...usually people would do src:x.x.x.x AND dst:x.x.x.x

example -> src:1.1.1.1 AND dst:2.2.2.2

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-12-19 10:02 AM
In response to Matlu

See example below. One of my lab fws is 172.16.10.249 and I was pinging google dns from it.

Andy

 

Screenshot_1.png

0 Kudos
Lloyd_Braun
Collaborator
‎2023-12-19 01:03 PM
In response to Matlu

What does the anti-spoofing configuration for bond2.303 look like? I would guess that bond2.303 is missing that source address 172.23.12.5 from its topology. Or that address is configured behind a different interface's topology, so the firewall does not like seeing that source address 172.23.12.5 coming inbound on bond2.303.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events