This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Identifying the IP/Subnet Mask in Attack Traffic

0

Hey everyone - question for you: I have a VoIP switch that is the subject of frequent attacks (registration/login types). I am able to identify the source IP address of the attacker with Wireshark, and then block that address with our edge Cisco 2811 router using an access list. Simple enough.

The problem comes in when the attack changes IP addresses after the previous one has been blocked, ie: 162.130.100.5 gets blocked via an ACL, then the attack starts back up with 162.130.100.30, and so on.

If I could identify the subnet mask (CIDR notation) that is sent with the packet, I could effectively block the range that is associated with that IP without having to block on an almost classful boundary (ie: deny ip 162.130.x.x 0.0.255.255). I would prefer to be specific with the ACL and only block the IP range that is generating the attack.

I have not been able to find a way with Wireshark to identify BOTH the IP address and the associated mask length, which should be included with the packet. I am a novice Wireshark user, so I could be missing something very simple.

Is this possible? Any feedback/assistance would be appreciated.

Thank you!!

Twitch

asked 08 Jul '14, 09:55

Twitch's gravatar image

Twitch
11113
accept rate: 0%


One Answer:

1

If I could identify the subnet mask (CIDR notation) that is sent with the packet,

the netmask is just a logical construct to allow routing and other stuff done on every system with an IP stack. Hence, the netmask itself is never sent in an IP packet, unless any upper layer protocol includes the netmask in the payload for whatever reason.

In your case, there is no way to find the netmask in the traffic itself. All you can do is a WHOIS query for that IP address and then block either the whole registered range or only parts of it, if it is a large block.

Regards
Kurt

answered 08 Jul '14, 11:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%