1

We just installed a SonicWALL NSA 3500 and I've noticed a few times per day there will be an alert entry like this:

Time: 01/02/2013 9:00:41.000

Priority: Alert

Category: Intrusion Prevention

Message: IP spoof dropped

Source: 173.115.237.234, 123, X0 (My note: nslookup tells me it belongs to some Sprint/PCS network, but the X0 interface is our LAN-facing interface. I also see 10.0.0.4 here sometimes with the same MAC address, and we don't have a 10.0.0.0 network. It's always that same MAC address!)

Destination: 192.168.x.x, 123, X0 (My note: This has shown as a few of our internal servers' IP's)

Notes: MAC address: 00:b0:d0:74:13:74 (My note: Appears to be a Dell MAC address, but doesn't match any of our known Dell computers on file)

When I perform an "arp -a | findstr 74-13-74" on my Windows PC I don't show that MAC address in my ARP table.

Is there a way I can track down what this is? We do use SonicWALL's SSL-VPN to tunnel into the X0 interface, maybe somebody uses a Sprint aircard and something is messing up? Maybe we have some malicious device somewhere? I'm very open to suggestions, this is puzzling me.

armani
  • 2,658
  • 19
  • 20
  • 1
    Try blocking that MAC address and see if anyone complains. Either way, problem solved. – Sammitch Jan 02 '13 at 21:18
  • Can't really accept a comment as an answer, but I did that and it worked. So, thanks. – armani Jan 03 '13 at 14:04
  • Blocked the MAC address and looked to see who complains. – armani Jan 03 '13 at 14:05
  • Actually that didn't work -- got more messages this morning. This time the source IP was 107.42.210.236, still on the X0 [LAN] interface. – armani Jan 03 '13 at 18:55
  • Did the MAC address change, or did it not get blocked correctly? – Sammitch Jan 03 '13 at 20:50
  • Same MAC address... but I guess I'm an idiot because I just checked that the rules I put in place for it were set to "Allow." Just changed to "Deny." Interestingly no packets logged on those rules though. – armani Jan 04 '13 at 15:07
  • After fixing the rules, I still am getting "IP spoof dropped" alerts for that MAC address. Maybe Intrusion Prevention occurs before firewall rules? – armani Jan 04 '13 at 17:08
  • 1
    I'm having the exact same issue with the exact same MAC address. I have a SonicWALL TZ210 and I get the same alerts with the same MAC address. It's always port 137 and it always attempting to access my Domain Controller. It would be interesting to learn whether this is a bug in the SonicWALL or if someone out there is actually attempting to spoof SonicWALLs. –  Jan 23 '13 at 14:37
  • Same MAC address? I should either feel safer, since it's unlikely the same attacker scanning both our networks, or scared that it actually is! Nah, originating from inside the LAN points toward some bug or something. That's actually the most helpful comment, thank you. – armani Jan 23 '13 at 19:17
  • 1
    Perhaps this is a little weird but im having the same issue with the same mac address!? –  Mar 14 '13 at 17:14

3 Answers3

3

If I were you, I'd port mirror, tap, or hub that network attached to the firewall and use accurate packet capture, such as "tcpdump -vvenXs0".

atdre
  • 18,885
  • 6
  • 58
  • 107
  • I do have a Throwing Star Lan Tap (downside: brings the link down to 100Mb), and the SonicWALL appears to have port mirror capability. I usually save packet captures as a last resort, was hoping someone familiar with SonicWALLs knew something better. – armani Jan 02 '13 at 17:50
  • Even if I did do that, what would I gain? What would I be looking for? I already know the MAC, but that's it. – armani Jan 03 '13 at 18:55
0

I blocked the offending MAC address, and in the past year never got a complaint from a user, so that seems to be the fix.

armani
  • 2,658
  • 19
  • 20
  • As so far I understand, what if that was an attack and if the attacker changes his machine and attacks with a new MAC? You have to block again! – pavanw3b Mar 07 '15 at 07:41
-1

So the thing here is to go spelunking around the switches to isolate the location of the source. You could figure out a window period where this is happening and focus your efforts there. If it's in a regular interval, then that's a great thing. Anything else, is a pain.

munchkin
  • 393
  • 1
  • 5