Unusual Traffic

Jesse Whyte jwhyte at mail.state.tn.us
Mon Oct 19 19:29:11 UTC 1998


This traffic is getting denied by my ingress Internet filters designed to
stop spoofed internal addresses.  However, I have yet to see traffic that
has this pattern.  The site in question has no alternate Internet connection
that could be resending this traffic.  As the ingress points in question are
the legitimately advertised connections (via BGP), I can't think of any
other reason this traffic should be appearing.

However, I really do not understand what an attacker would gain with probe
packets like this.  The return traffic should (in an ideal world) simply get
redirected to the loopback interface.  But then again, this world is far
from ideal, necessitating this message.

Oct 13 13:33:04 ingress.router.ip.address  4267746: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(34) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(34), 1 packet
Oct 13 13:33:06 ingress.router.ip.address  4267747: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(37) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(37), 1 packet
Oct 13 13:33:07 ingress.router.ip.address  4267749: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(43) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(43), 1 packet
Oct 13 13:33:08 ingress.router.ip.address  4267751: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(25) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(25), 1 packet
Oct 13 13:33:09 ingress.router.ip.address  4267752: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(26) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(26), 1 packet
Oct 13 13:33:11 ingress.router.ip.address  4267754: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(28) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(28), 1 packet
Oct 13 13:33:14 ingress.router.ip.address  4267755: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(31) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(31), 1 packet
Oct 13 13:33:16 ingress.router.ip.address  4267757: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(32) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(32), 1 packet
Oct 13 13:33:17 ingress.router.ip.address  4267758: %SEC-6-IPACCESSLOGP:
list 113 denied udp 50.50.50.50(33) (Ethernet1/5 0010.117d.fc08) ->
50.50.50.50(33), 1 packet

Thanks for your help...Please note that the ip address (50.50.50.50) is NOT
the real IP of the target in question...
Jesse Whyte
Security Analyst
Office of Information Resources
State of Tennessee
(615)741-8651




More information about the NANOG mailing list