port0 on router log

Discussion in 'Cisco' started by Dong Lee, Nov 26, 2003.

  1. Dong Lee

    Dong Lee Guest

    Hi,

    We've captured the following log from router,

    Nov 26 14:06:47: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    208.43.165.88(0) -> xxx.xxx.87.250(0), 1 packet
    Nov 26 14:06:48: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    193.92.79.149(0) -> xxx.xxx.87.250(0), 1 packet
    Nov 26 14:06:49: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    198.34.44.244(0) -> xxx.xxx.87.250(0), 1 packet

    This actually was a spoof attack to one our webserver, and it looked like
    packet was sourced from port 0 and destined to port 0. Or it could be
    that router didn't check the port in order to deny or accept the packet,
    and therefore port number was set to 0.

    We used the following ACL to collect this log,
    access-list 101 permit ip any host xxx.xxx.89.250 log
    access-list 101 permit udp any host xxx.xxx.89.250 log
    access-list 101 permit any any

    As you can see from ACL, we just used simple ACL to collect the log but
    don't understand why router failed to check the port and leaved it as 0.

    Any ideas or comments??

    Thank you
     
    Dong Lee, Nov 26, 2003
    #1
    1. Advertisements

  2. :We've captured the following log from router,

    :Nov 26 14:06:47: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    :208.43.165.88(0) -> xxx.xxx.87.250(0), 1 packet

    :This actually was a spoof attack to one our webserver, and it looked like
    :packet was sourced from port 0 and destined to port 0. Or it could be
    :that router didn't check the port in order to deny or accept the packet,
    :and therefore port number was set to 0.

    Close. IOS does not bother to copy the port numbers into memory until
    the first time ports are referenced while processing a traditional ACL.
    (This has always seemed strange to me, but someone from Cisco has
    said that it's a lot more efficient considering the device architecture.)
    If you happen to 'log' before ports were referenced, then you get port 0
    in the output.

    The workaround we used was

    access-list 101 deny tcp any any eq 0 log
    access-list 101 deny tcp any eq 0 any log
    access-list 101 deny udp any any eq 0 log
    access-list 101 deny udp any eq 0 any log

    A single reference to either the source or destination port is enough
    to copy both over, so you don't need -both- of the above, but since
    source or destination ports 0 is illegal, might as well block both.
    [Yes, this -did- sometimes end up blocking packets for us: forged
    packets sometimes, but also we found that one of the internet telephony
    programs was trying to use port 0!]
     
    Walter Roberson, Nov 26, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.