Is this Normal???

Discussion in 'Cisco' started by justin, Oct 15, 2003.

  1. justin

    justin Guest

    This is showing up non-stop throughout our syslog from a PIX 501. The
    outside source IP's are not in our given IP range. They are all
    ameritech DSL (router?) IP addresses. The source IPs keep changing
    for the ICMP denials. However everything that is blocked UDP/port;
    ICMP; etc.. comes from an ameritech IP range. (which makes sense,
    because we use SBC) This morning our PIX went down for about 20
    seconds. All lights on it were flashing in tandom like it had been
    rebooted, or was hung up. Any help would be most appreciated.
    Thanks.

    Justin



    10.0.0.x %PIX-4-106023: Deny udp src outside:209.187.193.165/1062 dst
    inside:68.75.x.x/1434 by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.87.57 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny udp src outside:216.36.116.97/4663 dst
    inside:68.75.x.x/1434 by access-group "100"

    10.0.0.x %PIX-3-106011: Deny inbound (No xlate) icmp src
    outside:68.75.167.111 dst outside:68.75.x.x (This is in our IP
    range)(type 8, code 0)

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.75.167.111 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-3-106011: Deny inbound (No xlate) icmp src
    outside:68.73.88.152 dst outside:68.75.x.x (This is in our IP
    range)(type 8, code 0)

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"

    10.0.0.x %PIX-4-106023: Deny icmp src outside:68.73.88.152 dst
    inside:68.75.x.x (type 8, code 0) by access-group "100"
     
    justin, Oct 15, 2003
    #1
    1. Advertisements

  2. ICMP type 0 code 0 is Echo Reply -- these are the responses to pings. If
    you allow pings out, you need to allow the replies back in.
     
    Barry Margolin, Oct 15, 2003
    #2
    1. Advertisements

  3. Oops, ignore the last message I sent.

    These are Echo messages, not Echo Reply as I incorrectly said previously.
    So someone is trying to ping devices on your network. It could be someone
    scanning you.

    That address translates to adsl-68-75-87-57.dsl.milwwi.ameritech.net,
    i.e. a DSL customer of Ameritech. Complain to their Abuse department.
     
    Barry Margolin, Oct 15, 2003
    #3
  4. :This is showing up non-stop throughout our syslog from a PIX 501. The
    :eek:utside source IP's are not in our given IP range. They are all
    :ameritech DSL (router?) IP addresses. The source IPs keep changing
    :for the ICMP denials.

    Sounds like people infected with SoBig.F or equivilent, which tend
    to scan "nearby" IP addresses looking for more hosts to infect.
    You can block them at your router, or you can complain to ameritech
    and hope they care enough to notify the users.
     
    Walter Roberson, Oct 15, 2003
    #4
  5. Program ended abnormally on 15/10/2003 12:13, Due to a catastrophic
    Walter Roberson error:
    Sobig.F is an e-mail-borne virus (it will spread through Microsoft shares as
    well, but does not scan hosts).

    For the ICMP-echoes, if the IP addresses are sequential, it's Welshia/Nachi; if
    the IP addresses increase by 20 (e.g. .1, .21, .41, ...), it's Blaster.

    The hit on TCP port 1434 is SQL/Slammer.

    You might want to advise Ameritech, but I wouldn't put too much hope in them
    contacting the offender.
     
    Francois Labreque, Oct 16, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.