The public network can’t access the device configured with the ip spoofing attack prevention.

Publication Date:  2012-09-11 Views:  172 Downloads:  0
Issue Description
1 The usg2200 directly linked to the public internet. It is double outlet, one is isp1, the other is isp2.
2 Do accurate routing with the isp1 network segment and default routing to isp2.
3 One of the isp1 PC can’t ping the outlet 2 address of usg2200, nor could telnet.
Alarm Information
None.
Handling Process
Disable configuration IP spoofing attack prevention:
undo firewall defend ip-spoofing enable
The problem will be resolved.
Root Cause
1 Analysis the data flows, under normal circumstances, the PC access export address from export 2 come out from export 1;
2 Check local policy, and did not do any traffic IP restrictions;
3 The data stream does not belong to the round-trip path inconsistent, because there is no undo firewall session link-type check;
4 It appears attack log in log summary:
    2011-12-04 17:01:49 wf %%01SEC/5/ATCKDF(l): AttackType:IP spoof attack; Receive Interface: GigabitEthernet0/0/0 ;
    proto:ICMP(4120,445) ; from 116.247.83.30 219.138.202.79 219.138.202.79 218.83.252.125 ; to 116.247.74.214 116.247.74.214
    116.247.74.214 116.247.74.214 ; begin time :2011/12/4 17:1:19; end time: 2011/12/4 17:1:45; total packets: 13;
5 View the configuration of attack defense, there is IP spoofing configuration:
    firewall defend ip-spoofing enable;
From the information above, the device filtered the packets because the data exists IP spoofing.


Suggestions
IP spoofing attack prevention mechanisms based on whether the route up to the source IP address, so the existence of false positives. When use it we need to look out.

END