[cisco-voip] a strange flood of packets from ccm

Leonardo D'Urso durso at alter.it
Tue May 4 11:14:15 EDT 2004 

hi there,

in december '03, and today we have received a lot of packets by publisher
and subscriber, directed to all ports of cisco catalist switch. The
average is 2000 packets per second! It seems like a discovery probe made
on all ports via cdp. I have verified and no worm or virus is installed on
machines. Today I had ccm334, os 2.5.sr7, microsoft patches installed
including ms04-011, and mcafee antivirus up and running. What I have done
to solve is an upgrade to os version 2.6, but I think that this upgrade is
not the cure.  I think that the reboot has solved, until the next flood.

Please anyone have an idea?

here a sample group of packets.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/10-19:18:14.402103 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
len:0xD6
10.89.5.1:24628 -> 10.89.23.240:18268 UDP TTL:127 TOS:0xB8 ID:56599
IpLen:20
DgmLen:200
Len: 172
80 08 4B E4 29 6B 5B 60 00 00 06 86 55 55 55 55  ..K.)k[`....UUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/10-19:18:14.402112 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
len:0xD6
10.89.5.1:24646 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56600
IpLen:20
DgmLen:200
Len: 172
80 08 AF 9D 0B 09 A7 80 00 00 06 92 55 55 55 55  ............UUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/10-19:18:14.402116 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
len:0xD6
10.89.5.1:24650 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56601
IpLen:20
DgmLen:200
Len: 172
80 08 A9 E5 0B 06 12 A0 00 00 06 95 55 55 55 55  ............UUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/10-19:18:14.402120 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
len:0xD6
10.89.5.1:24658 -> 10.89.23.240:16422 UDP TTL:127 TOS:0xB8 ID:56602
IpLen:20
DgmLen:200
Len: 172
80 08 88 56 0A F1 15 80 00 00 06 9B 55 55 55 55  ...V........UUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

thanks in advance.
Leonardo


--
Leonardo D'Urso              alter.net Srl
e-mail: durso at alter.it       Via Attilio Ambrosini, 177
VOICE: +39-06-5405740        I-00147 Roma
FAX:   +39-06-5405883        Italy

More information about the cisco-voip mailing list