For a bit of comic relief - it's a new performance enhancement Cisco have not yet advertised. It is triggered by a port scan from port 666 which tells the CPU to go like hell. If they leave it on for too long the CPU melts down so they limit it to 10 seconds on then an unspecified random extended cooling time is required. During that 10 second interval all interfaces can be run at 100 Terabits/sec (see RFC 6666 which will be published by Cisco in the near future) although they will autoselect the appropriate speed for connected devices so unless you hook up another identical Cisco router to the interface you won't see any effects. :) Jim > -----Original Message----- > From: Tina Bird [mailto:tbird@precision-guesswork.com] > Sent: Tuesday, 16 September 2003 6:10 p.m. > To: loganalysis@private > Subject: [logs] Strange Pix message > > > A bit of comic relief after all the intensity of the Windows > RPC >crap<. Anyone have any ideas what this might be? > > And remember that classic advice from CERT's 'Intrusion Detection > Checklist': "The common item to look for when reviewing log > files is anything that appears out of the ordinary." > > ---------- Forwarded message > ---------- Date: Mon, 15 Sep 2003 16:09:16 -0400 > From: Jared Ingersoll <jared@private> > To: "'incidents@private'" <incidents@private> > Subject: Strange Pix message > > Hi, > > I was reviewing my pix syslog messages today and found a > strange one from yesterday morning at around 3 AM, Sunday: > > > Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for > 10 seconds = 45305562% > > The odd thing is that the percent utilization is somewhere > around 45 million percent. Our company operates during "bank > hours" so activity at that time of day is always viewed with > a suspicious eye. I called Cisco support and they were > absolutely no help. They tried to pass it off as spoofed ip > error messages related to the blaster worm. With minimal > questioning the tech could not support that supposition at > all (though I'm not saying he wasn't right). > > Leading up to the CPU message was a sequence of UDP port > scans on port 135 and 1026, originating from port 666 (as follows): > > Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP > from 64.156.39.12/666 to x.x.x.x/135 on interface outside Sep > 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from > 64.156.39.12/666 to x.x.x.x/1026 on interface outside > > Can anyone shed some light on this? > > Thanks, > Jared > > --------------------- > Jared Ingersoll > Fiserv CSW, Inc. > 125 CambridgePark Dr. > Cambridge, MA 02140 > t.617.354.1400 x237 > f.617.498.0959 > --------------------- > > -------------------------------------------------------------- > ------------- > Attend Black Hat Briefings & Training Federal, September > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, > VA; the world's premier technical IT security event. Modeled > after the famous Black Hat event in Las Vegas! 6 tracks, 12 > training sessions, top speakers and sponsors. Symantec is the > Diamond sponsor. Early-bird registration ends September > 6.Visit us: www.blackhat.com > -------------------------------------------------------------- > -------------- > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganal> ysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Sep 22 2003 - 16:32:58 PDT