[c-nsp] Stray OSPF packets from non-link-local IPs ranges

Richard Hartmann richih.mailinglist at gmail.com
Fri Jul 4 09:23:38 EDT 2014


Dear all,

as I keep getting off-list queries about this from people who can only
find this thread when searching around (and as 198.50.240.9 is
blasting crap at the moment, so more people start looking):


> Decoding the most recent one, we see that it is actually a malformed
> ICMP protocol unreachable,containing
> an OSPF packet.
>
> The source of the ICMP is 69.162.92.41, the destination is <redacted>.
> The device 69.162.92.41 is apparently not running ospf, but received an
> OSPF packet from <redacted>,
> so it sends back an icmp protocol unreachable.
>
> In the middle of this, the asr9000 sees the malformed ICMP (lengths are
> not correct), but as it contains an OSPF packet, sends
> it to OSPF for processing.
>
> This is harmless, and a future enhancement will prevent this:
> CSCtx47454    prevent ospf from receiving ICMP packets
>
> If the ip <redacted> belongs to you, you may investigate why this
> device is sending OSPF packets to 69.162.92.41.
>
> Or since this is harmless on the asr9000, you can simply ignore the
> BADLENGTH messages and suppress them from the logging:
>
> !
> logging suppress rule BADLENGTH
>   alarm ROUTING OSPF BADLENGTH
> !
> logging suppress apply rule BADLENGTH
>   all-of-router
> !


The idea of this traffic not being a reaction to stuff we sent out
ourselves didn't occur to TAC ;)


Richard


More information about the cisco-nsp mailing list