Controller Based WLANs

View Only

last person joined: one year ago

APs, Controllers, VIA

Back to Library

Why do I see IP Spoof messages in Security logs when there is no actual impact?

Kudos

Apr 09, 2015 07:04 AM

arunhasan1

Environment : Any customer environment with Apple iOS / OSX devices.

Below is an example of security logs with IP Spoof messages.

(TAC-LAB) #show log all | include spoof
Dec 12 09:41:37  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=08:70:45:04:b0:db Sender-IP=192.168.1.13 Sender-MAC=08:70:45:04:b0:db IP spoof with exsting MAC=84:b1:53:a5:a5:19, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.

If the device has already connected to the network, Apple OSX & iOS devices tend to ARP for gateway IP with the IP it used on last instance. It's possible that IP address has been leased to someone else now. Thus, the ARP requests triggers spoof messages.

Below is an example ::

Dec 12 09:43:18  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=10.131.112.9 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=2c:54:cf:e4:a5:d1, Drop It.

By taking packet-capture on Controller, we notice the ARP request sent by client is with IP in use by another user.

Therefore, controller would print the IP spoof log messages. However, no connectivity impact would be triggered under this scenario.

Statistics

0 Favorited

1 Views

0 Files

0 Shares

0 Downloads

Controller Based WLANs

Why do I see IP Spoof messages in Security logs when there is no actual impact?

Related Entries and Links