[nsp-sec] Cisco CPE hitting dst=0.0.0.0 NULL desthost
Chris Morrow
morrowc at ops-netman.net
Thu Apr 10 10:08:23 EDT 2014
On 04/10/2014 03:44 AM, Mike Lewinski wrote:
> ----------- nsp-security Confidential --------
>
> These are all Cisco 1700/2500 series routers. The source IPs are on the
> Fa0 interfaces. So the routers are reporting they tried to send a packet
> to 0.0.0.0, with tracebacks omitted for brevity here.
>
> What catches my eye are the timestamp groupings. I'm betting I'm not the
> only provider to see this kind of activity tonight. I have a year's
> worth of syslog saved and don't see this before.
these are caught in outbound filters off the CPE toward your network?
>
> These are all hardened using Cymru secure IOS template as base. None
> have enough memory to support SSH, so are managed via telnet only with
> vty ACLs locked down to our local management networks. There are no GRE
> tunnels or much else that might be considered funky. Not even routing
> protocols running, just static defaults.
>
> 23:12:48 s0-850-s-boulderrd src=204.144.129.73 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1319-spruce src=204.144.128.201 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1319-spruce src=204.144.130.74 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1320-pearl src=204.144.132.234 dst=0.0.0.0 NULL desthost
are the hosts owned/used by someone at the same company? could this be
someone's software upgrade (on machines) gone bad? (or the equivalent)
More information about the nsp-security
mailing list