Hi, debugging on a customer router I trampled over some unusual traffic pattern: it is composed by udp packets, always from the same ip address random source port directed to the network and broadcast addresses of a network random destination port time-spaced around 2 seconds. This is an example from the logs Apr 2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(14673) -> bcast-addr(146), 1 packet Apr 2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(41383) -> bcast-addr(558), 1 packet Apr 2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(17499) -> bcast-addr(328), 1 packet Apr 2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(1124) -> bcast-addr(940), 1 packet Apr 2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(32969) -> bcast-addr(549), 1 packet Apr 2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(19998) -> net-addr(112), 1 packet Apr 2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(24405) -> net-addr(251), 1 packet Apr 2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(6827) -> bcast-addr(497), 1 packet they are around 8900 starting 3am (log rotate date -- didn't check before, still). It is highly probable this is a tempted information gathering act -- but why using network and broadcast addresses? Most modern tcp/ip stacks wouldn't answer (well, some ciscos actually do, depending on config..) Any ideas? bye, -- My home isn't cluttered; it's "passage restrictive." zen@kill-9.it . Geek . And proud of it . http://www.kill-9.it/jargon/html/entry/zen.html ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 19:57:44 PST