SRX Services Gateway
SRX Services Gateway

Screen messages and possible routing cause

‎06-24-2016 06:39 AM

Hi all,

 

I have a reacurring message popping up in my screen logs from my SRX3600 firewall. The mesaage is a follows:

 

RT_SCREEN_IP [junos@2636.1.1.1.2.34 attack-name=""IP spoofing!"" source-address=""0.0.0.0"" destination-address=""x.x.x.0"" protocol-id=""17"" source-zone-name=""outside"" interface-name=""reth0.0"" action=""drop""]

 

I think that possible cause are double default routes I have configured on the firewall.

 

One route is configured under routing options:

 

routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.170.1;
retain;
}

 

While another is configured under a routing instance:

 

routing-instances {
internet {
routing-options {
static {
route 0.0.0.0/0 {
next-hop "IP of my Internet router";
retain;

 

Could this really be the problem for the repeated showing of the IP spoofing line?

 

If that is the case can I safely delete the route under routing options as I primarily use the routes under the routing instance?

 

Thanks in advance for any help.

5 REPLIES 5
SRX Services Gateway

Re: Screen messages and possible routing cause

‎06-24-2016 07:17 AM

Default route in Master routing-instance and one in customer should not make your source-address to 0.0.0.0/0

 

Any idea which process generates this traffic? your destination address host any specific service that talk to SRX?

-IE

SRX Services Gateway

Re: Screen messages and possible routing cause

[ Edited ]
‎06-24-2016 07:25 AM

Since this is a firewall which sees a lot of traffic as there are mostly web servers behind it I would assume that it's the traffic destined to the web servers.

 

Anyway to be sure what generates the message?

SRX Services Gateway

Re: Screen messages and possible routing cause

‎06-24-2016 07:36 AM

whats the destination IP for these packets? Is it an interface on SRX? If so we may have to consider this as an attack as the source address "0.0.0.0" dont look genuine.

We may apply RE protect filters.

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Locking-Down-SRX-Management-Best-practise/td-p/435...

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Screen messages and possible routing cause

[ Edited ]
‎06-24-2016 07:59 AM

Destination is the .0 address of my public network and not a specific interace or an IP. Also I have filters on my edge routers that block access to .0 address of my public range and also drop any traffic with source address 0.0.0.0.

 

Also on my other firewalls I can't see any traffic pattern that matches this one. It's really frustrating.

SRX Services Gateway

Re: Screen messages and possible routing cause

‎06-24-2016 09:12 AM

Hi, 

 

May be you can use "show security flow session" with additional filters to investigate this.

If you manage to filter down to this traffic, you can filter by session-id and look into the details:

show security flow session session-id xxxxx extensive

Looks like a spoofing attack with an invalid source address in the IP header.

 

Cheers,

Ashvin