Strange Activity

Discussion in 'Cisco' started by Felix Kim, Jun 14, 2004.

  1. Felix Kim

    Felix Kim Guest

    Using Cisco 7507 Router ISO 12.2(19a). I'm getting strange activity from my
    Et1/1. The IP 203.186.188.140 belong to broadband provider in China, yet
    the "sh ip cache flow" shows coming from Et1/1 instead of T1 port. How is
    this possible?

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP
    Pkts
    Et1/1 203.186.188.140 Et1/1 65.197.115.57 06 0F78 15B2
    28
    Et1/1 203.186.188.140 Et1/1 65.197.115.61 06 0F7F 15B2
    32
    Et1/1 203.186.188.140 Et1/1 65.197.115.60 06 0F7E 15B2
    32
    Et1/1 203.186.188.140 Et1/1 65.197.115.59 06 0F7D 15B2
    32
     
    Felix Kim, Jun 14, 2004
    #1
    1. Advertisements

  2. Some device on the LAN is probably "spoofing" the address, possibly due to a
    virus or a hijacking. By lying about the source address, it becomes harder
    to track your LAN as the true source of the attack.

    Since it is marching up the IP addresses sequentially, I think you are
    dealing with a passive or active hacker. By default, the Cisco router will
    not check the source address of traffic passing through. You can use
    standard DDoS prevention tactics to set up filters fo that only valid
    addresses some from your internal LAN.

    http://staff.washington.edu/dittrich/misc/ddos/
    http://www.cisco.com/warp/public/707/22.html
     
    Phillip Remaker, Jun 14, 2004
    #2
    1. Advertisements

  3. Felix Kim

    Derek Nash Guest

    I recommend the following be placed on all stub network segment interfaces:

    ip verify unicast reverse-path

    and the ingress & egress access-lists at all border routers.

    I would recommend the following global command on all routers:

    no ip source route

    Lastly I would recommend the use of CAR to limit bandwidth to protocols
    rarely seen on your network.

    A good general Cisco IOS Security article is can be found at:

    http://www.cisco.com/warp/public/707/21.html
     
    Derek Nash, Jun 15, 2004
    #3
  4. Felix Kim

    Hansang Bae Guest

    unless you have redundant WAN connections terminating on the same
    router.
    Should be the default in 12.x code IIRC.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 15, 2004
    #4
  5. Felix Kim

    Derek Nash Guest

    True, unless those WAN connections are bound under a Mulilink PPP interface.
    Lets see if we can think of anymore exceptions. ;)
    Correct, but I tend include it my default setup scripts anyways just to
    cover all basis.
     
    Derek Nash, Jun 16, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.