Re: [nsp] Unknown packets

From: Jonathan Hartford (jon@outland.net)
Date: Fri Dec 26 1997 - 10:31:10 EST


[snipped originals]

> Thank Jon,
>
> Because of holidays, I didn't check and capture with the protocol analyser
> but those unknown packets have been stopped not long ago. The access-list
> below was used to stop them to occupy our internet gateway.
>
> gw1>sh access-list 191
> Extended IP access list 191
> deny ip any host 207.17.227.186 (3036144 matches)
> deny ip any host 209.45.172.124 (3235972 matches)
> permit ip any any (38367015 matches)
> gw1>
>
> Those denied packets were generated from each of our existing cisco routers
> and are quite large in number. They were discovered by "sh ip accounting"
> from our gateway router. They were all full size packets and took the same
> bandwidth for each originating router.
>
> They were originated from the IP address of each router itself but not from
> its serial or aync interfaces. They were even gernerated from those idle
> routers which are not connected to any other interfaces.
>
> Humphrey
>

It sounds vaguely like a smurf attack on somebody, using your routers to
start it. I'd trap some packets so that you can figure out who is spoofing
the addresses, and get them canned. If you'll check, those two addresses
are qrandom dialups. See if you can trap some whole packets or watch
connections. I seriously suggest "no ip directed-broadcast" on all your
interfaces.

Just an opinion though.

-Jon Hartford



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT