Re: [nsp] weird denied packets

From: Quan Nguyen (quan@vortex.CC.McGill.CA)
Date: Mon Jun 08 1998 - 10:04:33 EDT


On Sat, 6 Jun 1998, Jon Lewis wrote:

> Jun 6 01:00:31 deathstar-ether 1793: %SEC-6-IPACCESSLOGP: list 113 denied
> udp 192.168.1.2(0) -> 207.30.16.10(0), 3 packets
> Jun 6 11:09:02 deathstar-ether 1794: %SEC-6-IPACCESSLOGP: list 113 denied
> udp 192.168.0.1(0) -> 205.229.54.144(0), 6 packets
> Jun 6 11:15:02 deathstar-ether 1795: %SEC-6-IPACCESSLOGP: list 113 denied
> udp 192.168.1.2(0) -> 205.245.11.10(0), 2 packets
>
> Is anyone else seeing lots of denied packets with port 0 on the dst and
> src? This looks like some sort of attack. The ones above were denied
> based on ingress filering (192.168/16 address are invalid for this port),
> but I've gotten reports from customers that they're seeing similar things
> with valid addresses and can't see how their access-lists are denying the
> packets unless it's just because the ports are invalid.

I think that if you only had a deny udp without specifying any ports
then the log entry will only show 0 for the port number. One way to
get the port number printed is to code 'deny udp any range 1 65635'

Quan,

----------------Quan Nguyen-------------McGill UNIVERSITY---------------
   -o Voice (514)398-3709 Computing Center (Burnside Hall)
    ()/// FAX (514)398-6876 805 Sherbrooke St West, Rm 222
                quan@CC.McGill.CA Montreal, Quebec H3A 2K6






This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT