[nsp-sec] Cisco CPE hitting dst=0.0.0.0 NULL desthost
Mike Lewinski
mike at rockynet.com
Thu Apr 10 03:44:21 EDT 2014
These are all Cisco 1700/2500 series routers. The source IPs are on the
Fa0 interfaces. So the routers are reporting they tried to send a packet
to 0.0.0.0, with tracebacks omitted for brevity here.
What catches my eye are the timestamp groupings. I'm betting I'm not the
only provider to see this kind of activity tonight. I have a year's
worth of syslog saved and don't see this before.
These are all hardened using Cymru secure IOS template as base. None
have enough memory to support SSH, so are managed via telnet only with
vty ACLs locked down to our local management networks. There are no GRE
tunnels or much else that might be considered funky. Not even routing
protocols running, just static defaults.
23:12:48 s0-850-s-boulderrd src=204.144.129.73 dst=0.0.0.0 NULL desthost
23:12:48 s0-1319-spruce src=204.144.128.201 dst=0.0.0.0 NULL desthost
23:12:48 s0-1319-spruce src=204.144.130.74 dst=0.0.0.0 NULL desthost
23:12:48 s0-1320-pearl src=204.144.132.234 dst=0.0.0.0 NULL desthost
23:37:26 s0-580-burbank src=207.174.141.186 dst=0.0.0.0 NULL desthost
23:37:26 s0-1320-pearl src=207.174.143.1 dst=0.0.0.0 NULL desthost
23:37:26 sta-207-174-142-97 src=207.174.142.97 dst=0.0.0.0 NULL desthost
23:37:26 s0-westpeak src=207.174.142.193 dst=0.0.0.0 NULL desthost
23:37:26 sta-207-174-157-98 src=207.174.157.98 dst=0.0.0.0 NULL desthost
23:37:26 s0-2100-central src=207.174.157.193 dst=0.0.0.0 NULL desthost
23:44:16 s0-580-burbank src=208.139.193.185 dst=0.0.0.0 NULL desthost
23:44:16 s0-580-burbank src=208.139.204.25 dst=0.0.0.0 NULL desthost
More information about the nsp-security
mailing list