06-18-2012 02:20 AM - edited 03-11-2019 04:20 PM
Hi all
There is nothing in this PUBLIC subnet a.b.22.1/24, no one server.
Why and where does a lot of traffic and so many requests on TCP ports 6666-6669
2911BGP#sh int g0/2
GigabitEthernet0/2 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 442b.03a9.dbb2 (bia 442b.03a9.dbb2)
Internet address is a.b.22.1/24
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 464000 bits/sec, 780 packets/sec
access-list 100 permit ip any any log
interface GigabitEthernet0/0
description MODEM to Provider
ip address c.v.b.30 255.255.255.252
interface GigabitEthernet0/2
description PUBLIC Provider Independent subnet
ip address a.b.22.1 255.255.255.0
ip access-group 100 out
2911BGP#sh access-l 100
Extended IP access list 100
10 permit ip any any log (981099 matches)
Jun 18 15:00:05.290: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 48313 packets
..
Jun 18 15:00:06.526: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(10221) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:07.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 202.108.112.98(28225) -> a.b.22.2(6669),
1 packet
Jun 18 15:00:08.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(54777) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:09.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 103.4.100.120(61304) -> a.b.22.2(6667), 1
packet
Jun 18 15:00:10.538: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 121.11.153.242(38509) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:11.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 217.108.183.89(58572) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:12.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 110.232.165.179(43416) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:13.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 117.219.52.218(37693) -> a.b.22.2(6668),
1 packet
Jun 18 15:00:14.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(53875) -> a.b.22.2(6669),
1 packet
Jun 18 15:00:15.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 116.226.89.201(48775) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:16.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(56449) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:17.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(53875) -> a.b.22.2(6669),
1 packet
Jun 18 15:00:18.570: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 203.160.56.151(58621) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:19.570: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 189.91.66.154(35719) -> a.b.22.2(6668), 1
packet
Jun 18 15:00:20.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 124.105.12.19(32885) -> a.b.22.2(6668), 1
packet
Jun 18 15:00:21.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 189.76.176.238(60392) -> a.b.22.2(6667),
1 packet
Jun 18 15:00:22.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.82.27.111(40080) -> a.b.22.2(6667), 1
is it a botnet attack?
06-18-2012 02:39 AM
Hi
If there is nothing there then why are you permitting traffic there in the access-list ?
If it is trafic destined for nowhere block it as soon as possible,
Any TCP port can be any service so the fact that it is on port 6667-6669 does not mean that it is a certain software, that said, my guess would be IRC. But untill you set up a listner there is no way to know that for sure.
Most likely there have been something there at some point in time that you are seeing residue traffic from.
If you do not use it then block it.
If someone would setup a server there then this access-list would let through all kinds of traffic to that server.
The best way to do it is block everything let desired traffic through.
Now I do understand that in some (many) cases that is not possible and you have to resort to blocking traffic you know is undesired. But it puts you in a worse situation that you would have to be in untill you sorted out what is your desired traffic.
Good luck
06-18-2012 02:53 AM
of course I will block it
but It occupies part of the incoming traffic from provider to my interface GigabitEthernet0/0
I did this access-list 100 permit ip any any log
to look for the traffic that goes only
06-18-2012 03:21 AM
If you want to know what is going on on the outside of your interface i would setup a switch there and setup a SPAN port and start sniffing to see what is going on on the incoming and outgoing traffic.
The sniffer will tell you loads more than what the access-list will do.
Another good part of this would be that incase there is a problem that gets known with the router (in this case) you are (in many cases) able to block that type of traffic incomming in the switch with access-lists in the switch.
It is in some cases possible to setup a sniff in the router, but I prefer a span port.
Good luck
HTH
06-18-2012 04:04 AM
I have class C subnet but why all requests on TCP ports 6666-6669 goes to address a.b.22.2 ?
why not to a.b.22.1 or a.b.22.3- 4-5 and so on?
Jun 18 16:51:05.340: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 34408 packets
Jun 18 16:51:05.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 222.73.247.221(38310) -> a.b.22.2(6668),
1 packet
Jun 18 16:51:06.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(37573) -> a.b.22.2(6669),
1 packet
Jun 18 16:51:07.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 219.143.226.131(45299) -> a.b.22.2(6667),
1 packet
Jun 18 16:51:08.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(45649) -> a.b.22.2(6669),
1 packet
Jun 18 16:51:09.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 24.227.93.115(62648) -> a.b.22.2(6669), 1
packet t
Jun 18 16:51:10.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 121.88.249.247(60663) -> a.b.22.2(6669),
1 packet erm
Jun 18 16:51:11.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 103.4.100.120(52436) -> a.b.22.2(6667), 1
packet nom
Jun 18 16:51:12.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(31070) -> a.b.22.2(6669),
1 packet mon
Jun 18 16:51:13.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 103.4.100.120(52691) -> a.b.22.2(6667), 1
packet
06-18-2012 07:19 AM
Well
This is just pure spculation since we do not have all the information.
Most likely it is a remnant of something that was there at some point in time. fx a IRC server.
IF not then it can be that it is a error someone have set up a server somewhere that have have a typo.and misspelled an ip address or it could be that someone misspelled a DNS record somewhere and that is pointing to your server.
There is no way of knowing that until you investigate and that means that you must setup something that answers so that you can se what the traffic is and sniff it.
Good luck
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide