[nsp-sec] FW: PIM messages from China...
David Freedman
david.freedman at uk.clara.net
Sat Feb 23 09:34:32 EST 2008
Can't tell I'm afraid, but I've also found this guy doing proto 163 (mobile ip) so it seems he is trying to exploit the old cisco bug:
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows
2008-02-22 11:25:44.741 0.000 163 220.249.91.115:0 -> 80.67.107.98:0 .A.... 10 1 1203 1
But why????
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
-----Original Message-----
From: Dave Mitchell [mailto:davem at yahoo-inc.com]
Sent: Sat 2/23/2008 04:03
To: David Freedman
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] PIM messages from China...
Out of curiosity, what are the ttl's on the packets?
-dave
On Sat, Feb 23, 2008 at 03:39:43AM +0000, David Freedman wrote:
> ----------- nsp-security Confidential --------
>
> Have been seeing PIM (proto 103) messages from 220.249.91.115 directed towards some of our colocation customers in the UK
>
> Hoping this just an attempt to exploit the old cisco "blocked" bug (http://www.cisco.com/en/US/products/products_security_advisory09186a00801a34c2.shtml) but would like to draw attention to it in case it is not and something nasty is going on.
>
> AS | IP | AS Name
> 4837 | 220.249.91.115 | CHINA169-BACKBONE CNCGROUP China169 Backbone
>
>
> Dave.
>
>
>
> ------------------------------------------------
> David Freedman
> Group Network Engineering
> Claranet Limited
> http://www.clara.net
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list