cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
737
Views
3
Helpful
5
Replies

please help big bad traffic from the Internet

Tagir Temirgaliyev
Spotlight
Spotlight

    Hi all

There is nothing in this PUBLIC subnet a.b.22.1/24, no one server.

Why and where does a lot of traffic and so many requests on TCP ports 6666-6669

2911BGP#sh int g0/2

GigabitEthernet0/2 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is 442b.03a9.dbb2 (bia 442b.03a9.dbb2)

  Internet address is a.b.22.1/24

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 464000 bits/sec, 780 packets/sec

access-list 100 permit ip any any log

interface GigabitEthernet0/0

description MODEM to Provider

ip address c.v.b.30 255.255.255.252

interface GigabitEthernet0/2

description PUBLIC Provider Independent subnet

ip address a.b.22.1 255.255.255.0

ip access-group 100 out

2911BGP#sh access-l 100

Extended IP access list 100

    10 permit ip any any log (981099 matches)

Jun 18 15:00:05.290: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 48313 packets

..

Jun 18 15:00:06.526: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(10221) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:07.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 202.108.112.98(28225) -> a.b.22.2(6669),

1 packet

Jun 18 15:00:08.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(54777) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:09.534: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 103.4.100.120(61304) -> a.b.22.2(6667), 1

packet

Jun 18 15:00:10.538: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 121.11.153.242(38509) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:11.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 217.108.183.89(58572) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:12.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 110.232.165.179(43416) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:13.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 117.219.52.218(37693) -> a.b.22.2(6668),

1 packet

Jun 18 15:00:14.546: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(53875) -> a.b.22.2(6669),

1 packet

Jun 18 15:00:15.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 116.226.89.201(48775) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:16.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(56449) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:17.566: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.226.191.230(53875) -> a.b.22.2(6669),

1 packet

Jun 18 15:00:18.570: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 203.160.56.151(58621) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:19.570: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 189.91.66.154(35719) -> a.b.22.2(6668), 1

packet

Jun 18 15:00:20.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 124.105.12.19(32885) -> a.b.22.2(6668), 1

packet

Jun 18 15:00:21.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 189.76.176.238(60392) -> a.b.22.2(6667),

1 packet

Jun 18 15:00:22.574: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 119.82.27.111(40080) -> a.b.22.2(6667), 1

is it a botnet attack?

5 Replies 5

hobbe
Level 7
Level 7

Hi

If there is nothing there then why are you permitting traffic there in the access-list ?

If it is trafic destined for nowhere block it as soon as possible,

Any TCP port can be any service so the fact that it is on port 6667-6669 does not mean that it is a certain software, that said, my guess would be IRC. But untill you set up a listner there is no way to know that for sure.

Most likely there have been something there at some point in time that you are seeing residue traffic from.

If you do not use it then block it.

If someone would setup a server there then this access-list would let through all kinds of traffic to that server.

The best way to do it is block everything let desired traffic through.

Now I do understand that in some (many) cases that is not possible and you have to resort to blocking traffic you know is undesired. But it puts you in a worse situation that you would have to be in untill you sorted out what is your desired traffic.

Good luck

of course I will block it

but It occupies part of the incoming traffic from provider to my interface GigabitEthernet0/0

I did this access-list 100 permit ip any any log

to look for the traffic that goes only

If you want to know what is going on on the outside of your interface i would setup a switch there and setup a SPAN port and start sniffing to see what is going on on the incoming and outgoing traffic.

The sniffer will tell you loads more than what the access-list will do.

Another good part of this would be that incase there is a problem that gets known with the router (in this case) you are (in many cases) able to block that type of traffic incomming in the switch with access-lists in the switch.

It is in some cases possible to setup a sniff in the router, but I prefer a span port.

Good luck

HTH

I have class C subnet but why all requests on TCP ports 6666-6669 goes to address a.b.22.2 ?

why not to  a.b.22.1 or a.b.22.3- 4-5 and so on?

Jun 18 16:51:05.340: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 34408 packets

Jun 18 16:51:05.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 222.73.247.221(38310) -> a.b.22.2(6668),

1 packet

Jun 18 16:51:06.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(37573) -> a.b.22.2(6669),

1 packet

Jun 18 16:51:07.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 219.143.226.131(45299) -> a.b.22.2(6667),

1 packet

Jun 18 16:51:08.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(45649) -> a.b.22.2(6669),

1 packet

Jun 18 16:51:09.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 24.227.93.115(62648) -> a.b.22.2(6669), 1

packet  t

Jun 18 16:51:10.732: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 121.88.249.247(60663) -> a.b.22.2(6669),

1 packet  erm

Jun 18 16:51:11.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 103.4.100.120(52436) -> a.b.22.2(6667), 1

packet  nom

Jun 18 16:51:12.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 119.226.191.230(31070) -> a.b.22.2(6669),

1 packet   mon

Jun 18 16:51:13.736: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 103.4.100.120(52691) -> a.b.22.2(6667), 1

packet


Well

This is just pure spculation since we do not have all the information.

Most likely it is a remnant of something that was there at some point in time. fx a IRC server.

IF not then it can be that it is a error someone have set up a server somewhere that have have a typo.and misspelled an ip address or it could be that someone misspelled a DNS record somewhere and that is pointing to your server.

There is no way of knowing that until you investigate and that means that you must setup something that answers so that you can se what the traffic is and sniff it.

Good luck

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: