4 Replies Latest reply: Feb 13, 2012 6:16 PM by James RSS

    How do I determine the direction of an attack if the source is spoofed?

    Syed Amir Azhar

      Hi, I've got this signature firing from my Cisco AIM-IPS,


      1104/0 IP localhost source spoof


      Description : This signature triggers when an IP packet with a address of is detected. This is a local host IP address and should never be seen on the network This may be indicative of someone trying to take advantage of local host trust relationships to either gain access to or in some other way subvert a target machine.An attacker can specify an arbitrary source address for a packet in an attempt to bypass address-based authentication mechanisms or other access controls. This is especially effective if the arbitrary source address is a machine behind the router.


      So.... how to best respond to this attack ? I've read that I need to deploy packet filtering devices on the border of my networks, but what if the attack is already coming in from within the network (Say like this is the work of a virus?)