On Wed, 17 Oct 2001, Heidi wrote: > Toby, yes, this is from Cisco router ACL (syslog). The data just repeats > itself for a couple of hours. Perhaps a DoS aimed at the syslog port due to > the timestamps and multiple attempts with one packet? I.E., an attacker > attempting to deny bandwidth by taking out a router. It appears the > attacker is trying to identify the syslog server to attempt DoS or to gain > root access. Thank you for your input. > Heidi I don't think you have enough information to assume it is a. intentional or b. malicious. Without the actual packets, or at least the headers from them, you have no data regarding the purpose or stimulus for the traffic. This could be the result of someone spoofing you and attacking your traffic's source. If it got blocked at your firewall, acknowledge it, file it for future reference if necessary and don't spend any more time on it. toby > > No. you would be correct in identifying it as traffic attempting to go to > port 514 being denied at your router. IIRC, the 100-series ACLs on Ciscos > (this looks like the log format from a Cisco, am I correct?) are purely > port and protocol based. > Assuming anything about the intent of the traffic without a bunch more > data would be unwise. > > Toby > > On Tue, 16 Oct 2001, Heidi wrote: > > > By noting UDP port 514 in this log, would I be correct in identifying it > as > > a Syslog butter overflow attack? > > > > Oct 16 08:08:32 rt0 10588: rd20h: %SEC-6- IPACCESSLOGP: LIST 102 denied > udp > > 195.16.163.6(1094)->external.server(514), 2 packets > > Oct 16 08:16:23 rt0 10597: 4d11h: %SEC-6-IPACCESSLOGP: list 102 denied udp > > 195.16.174.10(2976) -> external server(514), 1 packet > > Oct 16 08:34:33 rt0 10629: rd11h: #SEC-6-IPACCESSLOGP: list 102 denied udp > > 195.16.174.10 (2976) -> external.server (514), 1 packet > > > > Thank you, > > Heidi Henry > > mcps@private > > > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:28:22 PDT