RE: Log packets from spoofed address lab question

From: amilabs (amilabs@optonline.net)
Date: Wed Jul 09 2003 - 15:35:53 GMT-3

• Next message: John Matijevic: "Re: Gotcha on Redistribute Connected"
• Previous message: Robert Laidlaw: "Log packets from spoofed address lab question"
• Maybe in reply to: Robert Laidlaw: "Log packets from spoofed address lab question"
• Next in thread: Brian Dennis: "RE: Log packets from spoofed address lab question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It sounds like just a basic access list with logging turned on. So, a
spoofed source addressed(not a dest address) is filtered, since a
spoofed packet is usually spoofing something on the inside of your
network, an address already in use, it should pass the filter without
being blocked since packets with the source address in question is
already running around inside your network, hence it would not be
blocked on the inbound frame interface, just permit and log. The real
address packets would never come in from that point so it should not be
an issue of blocking or forwarding.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Robert Laidlaw
Sent: Wednesday, July 09, 2003 2:17 PM
To: ccielab@groupstudy.com
Subject: Log packets from spoofed address lab question

I came across a question on my lab that I have never encountered before
and as such, I think that I did not get it right. However, it has led
me to dive deeper into the functionality that the question presented.

Q: You want to log spoofed icmp packets coming accross your frame cloud.
You want to be able to log them and see what is the most offensive
spoofed ip address. You do not want to block any traffic, just log.

This was to be placed on my HUB router in a frame cloud. What made this
difficult is that it wanted to easily see what the most spoofed ip
address was. I ended up using the unicast reverse path forwarding
interface commands but I still do not now if this is the "Correct" way
to do this. The other thing that I did not like is that when using this
setup, you use an acl to determine what happens to "bad" packets, but
even if you put the logging command in your acl, it doesn't show up in
the log until you do a clear access-list xxx . Is there another way of
accomplishing this or is this the way to go?

Any suggestions / comments are greatly appreciated.

Rob Laidlaw
laidlaw(at)consecro(dot)com

• Next message: John Matijevic: "Re: Gotcha on Redistribute Connected"
• Previous message: Robert Laidlaw: "Log packets from spoofed address lab question"
• Maybe in reply to: Robert Laidlaw: "Log packets from spoofed address lab question"
• Next in thread: Brian Dennis: "RE: Log packets from spoofed address lab question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:31 GMT-3