[nsp-sec] Cisco CPE hitting dst=0.0.0.0 NULL desthost

Chris Morrow morrowc at ops-netman.net
Thu Apr 10 14:41:56 EDT 2014 


On 04/10/2014 10:43 AM, Mike Lewinski wrote:
> ----------- nsp-security Confidential --------
> 
> On 4/10/14 10:08 AM, Chris Morrow wrote:
> 
>> these are caught in outbound filters off the CPE toward your network?
> 
> No, IOS threw exceptions at our syslog. I don't think these packets left
> the local routers. Here's what a single event looked like in full:

odd.

> 23:12:48 s0-850-s-boulderrd src=204.144.129.73 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-850-s-boulderrd -Process= "IP Input" ipl= 0 pid= 22
> 23:12:48 s0-850-s-boulderrd -Traceback= 8026C6C8 8026BA8C 8026BE38
> 8027B564 802421BC 80243108 8023EF9C 8027B48C 80261754 8025F47C 8025F574
> 8025F70C 8014DED8
> 

ip-input on larger devices is packets being software switched or they
are packets the router thinks are destined to itself.

> All of them logged similar three lines. Google didn't find much to
> explain, but one post had a query about GRE which has me thinking maybe
> the source are miscreants looking for a way to capture traffic and use
> heartbleed to maximum effect.

maybe, seems coincidental to me though? possibly something on the local
lan is trying to spoof packets and has headers misaligned? but that also
seems far fetched :(

>> are the hosts owned/used by someone at the same company? could this be
>> someone's software upgrade (on machines) gone bad? (or the equivalent)
> 
> No, these are shared T1s used by lots of disparate small businesses.
> 
> I meant to say that timestamps are MDT / -6 UTC. It's unlikely there was
> anyone in most of these sites actively using the connections at 11pm.
> These are mostly 9-5 folks, CPAs, lawyers, etc.

yea, this was sort of why I was thinking 'software upgrade gone wrong'
... but maybe that's still the case if there are systems like most
free-unixes that updated openssl/etc just recently.

-chris

> 
> I also checked our tacacs logs but found nothing there corresponding in
> time.
> 
> I also checked our traffic/cpu/memory graphs for the kinds of spikes
> that typically accompany DDOS, again there was nothing interesting.
> 
> While I still have logins to those hosts, they're effectively off my
> network and not my direct responsibility anymore.
> 
> Mike
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list