Re: [nsp] Unknown packets

From: Kai (kai@www.abest.com)
Date: Sat Dec 27 1997 - 21:29:24 EST


>
> At 06:08 PM 1997/12/25 -0500, you wrote:
> >> We are using many 2501s, 2511s, 7507 and many sunsparc workstations which
> >> are all connected to Cisco 1900 switching hub. However, today I have found
> >> that all the routers 2501s, 2511s and sunsparc workstations which generate
> >> a large number of packets with a destination address 207.17.227.186 and
> >> 209.45.172.124. Those unknown packets take a lot of our outgoing bandwidth
> >> of 7507.
> >>
> >> I suspect the switched hub has problem and I'm going to reset the 1900 or
> >> swap to a normal hub if the problem still exists. Do you have any idea or
> >> experience for this happening?
> >>
> >> Humphrey
> >>
> >
> >Humphrey, what kind of packets are they? Is it possible somebody from
> >those addresses is recieving some kind of data from your LAN?
> >Possibly unauthorized data? Is it possible those are forged packets?
> >
> >Can you trap a bunch of them to check? I would think it highly unlikely
> >that the cisco hub or routers are causing this.
> >
> >Perhaps put a packet sniffer on the LAN?
> >
> >-Jon
> >
>
>
> Thank Jon,
>
> Because of holidays, I didn't check and capture with the protocol analyser
> but those unknown packets have been stopped not long ago. The access-list
> below was used to stop them to occupy our internet gateway.
>
> gw1>sh access-list 191
> Extended IP access list 191
> deny ip any host 207.17.227.186 (3036144 matches)
> deny ip any host 209.45.172.124 (3235972 matches)
> permit ip any any (38367015 matches)
> gw1>
>
> Those denied packets were generated from each of our existing cisco routers
> and are quite large in number. They were discovered by "sh ip accounting"
> from our gateway router. They were all full size packets and took the same
> bandwidth for each originating router.
>
> They were originated from the IP address of each router itself but not from
> its serial or aync interfaces. They were even gernerated from those idle
> routers which are not connected to any other interfaces.
>
> Humphrey
>
>
>
>
>

this all very much sounds like a denial of service attack against those
two destinations, using directed broadcasts into your network with
spoofed return addresses.

using the "no ip directed-broadcasts" on all your ethernet interfaces
(cisco routers) seems like a good idea. The topic was discussed at
length on a number of lists a little while ago.

You should sniff your network at various points to see where these
packets are coming from (if you have more than one Internet connection),
then contact your upstream provider for assistance.

Someone oughta make a law forcing downstreams to filter for valid
return addresses on all outgoing packets. *flee*

bye,Kai
-- --
kai@9inch.org "Just say No" to Spam Kai Schlichting
Palo Alto, CA Sophisticated Technical Peon
Kai's SpamShield <tm> is for you - FREE! www.9inch.org/~kai/spamshield.html
| |
LeasedLines-FrameRelay-IPLs-ISDN-PPPdial-Cisco-Consulting-VoiceFax-Data-Muxes
WorldWideWebAnything-Intranets-NetworkAdmin-UnixAdmin-Security-ReallyHardMath



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT