Track source of spoofed IPs on LAN
-
We have an issue where several times a day we get short periods (15-20 mins) of extremely high packets coming in to our LAN interface from customers servers on one of our networks.
Usually we see 15-20k packets per second coming in to pfSense on the LAN interface but suddenly this spikes to between 100k and 500k packets per second.
The traffic generates hundreds of thousands of firewall block entries "Default deny rule IPv4 (1000000103)" source ip:port - destination ip:port TCP:A
What's curious is that the source ip cycles through all the ips on our subnet but the source port remains the same per source ip (changes once as each source ip changes) and the destination ip is ususlly the same external ip but the destination port changes sequentially. Similar to a port scan on a remote host being run from every ip on our network one after another.
The reason I think the source ips are being spoofed is because I know that some of them are unused and not active, yet they appear in the logs. Pinging them they are dea. Other source ips are from servers I have monitored and know that no traffic was leaving their interfaces yet their ips appeared in the logs.
How can I track down the source of this traffic as it's undoubtedly malicious and probably from a hijacked server or someone trying to launch a DDoS attack from our whole ip subnet.
-
Back when I worked in IT, I could plug in an IP and get back a MAC and even tell me what port in the entire campus that device is on.
-
We operate a heavily virtualised environment on Xen with HP blades and virtual connect networking so we don't have a traditional setup so to speak. We can't easily monitor network ports for traffic flows and track down ips and mac addresses as you normally would.
What is the best way in pfSense to find the source mac of traffic from a particular ip? That would be a start at least.
-
There's a package called arpwatch. I have no idea if it does what you need. I'm gonna install it and see what it does.
-
Why is it up to pfSense and not, say, your virtualization vswitch of your other switches?
But examining the ARP table and perhaps the DHCP logs is where I would start. Or a packet capture, perhaps.
-
It looks like arpwatch might be useful for you. It logs IPs MACs and timestamps. But then again, the malware could spoof MAC addresses, too, depending upon how nefarious its creators are.
If you don't have any physical managed L2 or L3 switches, you may want to invest in some.
Good luck.
