[nsp-sec] Cisco CPE hitting dst=0.0.0.0 NULL desthost
Dario Ciccarone
dciccaro at cisco.com
Mon May 5 10:26:14 EDT 2014
There are many reasons why those messages could be generated. The
standard process here would be to open a TAC case w/ all the required
information (show tech a must, tracebacks, etc) to a TAC CSR can analyze
the traceback and tell you which process within the router is generating
those messages (and no, I'm not talking about IP Input - I'm talking
about the full traceback decode, to which handler got the packet - NTP,
VoIP, etc).
I did a quick check and couldn't find a match for the traceback you
provided. So, as said - open a TAC case :)
However, as those are 1700s and 2500s, chances of it getting fixed are
NIL . . .
Thanks,
Dario
On 4/10/14 3:44 AM, Mike Lewinski wrote:
> ----------- nsp-security Confidential --------
>
> These are all Cisco 1700/2500 series routers. The source IPs are on
> the Fa0 interfaces. So the routers are reporting they tried to send a
> packet to 0.0.0.0, with tracebacks omitted for brevity here.
>
> What catches my eye are the timestamp groupings. I'm betting I'm not
> the only provider to see this kind of activity tonight. I have a
> year's worth of syslog saved and don't see this before.
>
> These are all hardened using Cymru secure IOS template as base. None
> have enough memory to support SSH, so are managed via telnet only with
> vty ACLs locked down to our local management networks. There are no
> GRE tunnels or much else that might be considered funky. Not even
> routing protocols running, just static defaults.
>
> 23:12:48 s0-850-s-boulderrd src=204.144.129.73 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1319-spruce src=204.144.128.201 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1319-spruce src=204.144.130.74 dst=0.0.0.0 NULL desthost
> 23:12:48 s0-1320-pearl src=204.144.132.234 dst=0.0.0.0 NULL desthost
>
> 23:37:26 s0-580-burbank src=207.174.141.186 dst=0.0.0.0 NULL desthost
> 23:37:26 s0-1320-pearl src=207.174.143.1 dst=0.0.0.0 NULL desthost
> 23:37:26 sta-207-174-142-97 src=207.174.142.97 dst=0.0.0.0 NULL desthost
> 23:37:26 s0-westpeak src=207.174.142.193 dst=0.0.0.0 NULL desthost
> 23:37:26 sta-207-174-157-98 src=207.174.157.98 dst=0.0.0.0 NULL desthost
> 23:37:26 s0-2100-central src=207.174.157.193 dst=0.0.0.0 NULL desthost
>
> 23:44:16 s0-580-burbank src=208.139.193.185 dst=0.0.0.0 NULL desthost
> 23:44:16 s0-580-burbank src=208.139.204.25 dst=0.0.0.0 NULL desthost
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list