[c-nsp] Suspicious packets isp PoS int.

Karim Adel karim.adel at gmail.com
Tue Sep 14 06:45:30 EDT 2004


Hello,

we're running an ISP here, we have our main internet gateway with an
oc3 to our service provider through a PoS int.

i've been playing with netflow from that PoS, and observed a large
number of packets Destined to its address, which in my humble
experience sounds weird to me,

Maybe i should see some SNMP from my provider, but why random sourced
ICMPs (check the following) :


permit ip any host 80.x.x.x (602465 matches)


*Sep 14 17:06:20: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
209.104.48.35 (POS4/0/0 ) -> 80.x.x.x (8/0), 1 packet
*Sep 14 17:06:21: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
194.109.192.27 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:22: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
66.102.2.242 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:24: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
159.153.192.124 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:26: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
209.152.119.230 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:27: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
217.29.135.3 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:29: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
206.16.213.10 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:30: %SEC-6-IPACCESSLOGP: list blockall permitted udp
69.25.83.51(10445) (POS4/0/0 ) -> 80.x.x.x(33435), 1 packet
*Sep 14 17:06:32: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
66.102.1.241 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:33: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
166.90.148.202 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:34: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
217.6.176.23 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGRL: access-list logging
rate-limited or missed 23 packets
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
38.119.82.3 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
63.112.168.42 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
213.168.76.13 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGP: list blockall permitted udp
69.25.83.52(10445) (POS4/0/0 ) -> 80.x.x.x(33436), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
211.115.103.253 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
66.102.10.122 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
209.170.95.149 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet
*Sep 14 17:06:36: %SEC-6-IPACCESSLOGDP: list blockall permitted icmp
63.208.104.81 (POS4/0/0 ) -> 80.x.x.x (0/0), 1 packet

Kind Regards,

-- 
~Karim


More information about the cisco-nsp mailing list