Zen, Sounds like a Fraggle attack (though it's pretty slow to be effective), where you might be an amplifier. Is the source address (a.b.c.d) an address that you recognize? If your customer doesn't need it, make sure "no ip directed-broadcast" is applied to their router interfaces that are connected to broadcast-medium (e.g. Ethernet). I'm pretty comfortable dropping traffic destined to a broadcast address at my enclave router, but your requirements may vary. -Joshua Wright Senior Network and Security Architect Johnson & Wales University Joshua.Wrightat_private http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 > debugging on a customer router I trampled over some unusual > traffic pattern: it is composed by > udp packets, > always from the same ip address > random source port > directed to the network and broadcast addresses of a network > random destination port > > time-spaced around 2 seconds. > > This is an example from the logs > > Apr 2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(14673) -> bcast-addr(146), 1 packet > Apr 2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(41383) -> bcast-addr(558), 1 packet > Apr 2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(17499) -> bcast-addr(328), 1 packet > Apr 2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(1124) -> bcast-addr(940), 1 packet > Apr 2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(32969) -> bcast-addr(549), 1 packet > Apr 2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(19998) -> net-addr(112), 1 packet > Apr 2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(24405) -> net-addr(251), 1 packet > Apr 2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp > a.b.c.d(6827) -> bcast-addr(497), 1 packet ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:51:33 PST