Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
598
Views
0
Helpful
5
Replies

Strange traffic from the soup of the internet

Geminorum_cco
Level 1
Level 1

ā€Ž10-02-2013 05:50 AM - edited ā€Ž03-11-2019 07:46 PM

Hi everybody,

thanks for a great forum and ressource!

Our syslogs recently started showing a specific spoof getting dropped by one of our main firewalls, an ASA.

"Deny IP spoof from (0.0.4.0) to <removed public ip> on interface outside"

While no harm is done since the traffic is dropped, i still wonder... It has been going on for quite a while now and with a frequency of maybe 40 or 50 times a minute i figure its not going to stop any time soon.

What would you guys do about something like this?

Thanks.

Cheers

Labels:
0 Helpful
5 Replies 5

pranesh deshpande
Level 1
Level 1

ā€Ž10-02-2013 10:42 PM

hi

I think ,if you have edge router faceing internet put  acl for that..

Thanks

Pranesh

0 Helpful

Geminorum_cco
Level 1
Level 1
In response to pranesh deshpande

ā€Ž10-02-2013 11:45 PM

Hi Pranesh,

thanks. Yeah i did, its just my curious nature i guess that makes me want to investigate further. Has anyone ever followed up on something like this by maybe contacting the provider? Would that do any good?

Cheers

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Geminorum_cco

ā€Ž10-02-2013 11:47 PM

hi,

make a WHOIS on the IP address and report to the ISP spam/abuse support email.

ISP will notify to the corresponding IP owner to scan and fix for any malicious activity.

there are free web tools to check on WHOIS database.

0 Helpful

Geminorum_cco
Level 1
Level 1
In response to johnlloyd_13

ā€Ž10-03-2013 12:19 AM

Hi johnlloyd_13,

yeah but the source address in this case is a special use address apparantly 0.0.4.0. Here is a snippet from the whois i pulled off of it:

"

Comment:        The address 0.0.0.0 may only be used as the address of an outgoing packet when a computer is learning which IP address it should use.  It is never used as a destination address.  Addresses starting with "0." are sometimes used for broadcasts to directly connected devices.

"

So unless my ISP has added a new (and seriously misconfigured) device somewhere, i wont be getting anywhere with that. And if this isnt from me ISP how does that kind of traffic even get across the internet?

Dont anybody past my rented black fiber filter traffic in anyway? Would an ISP allow a customer to initiate traffic not sourced from that customers own ip address / range?

Cheers

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Geminorum_cco

ā€Ž10-03-2013 12:38 AM

hi,

there's a comment which also says it could be in your LAN or perhaps someone VPN'd and spoofed.

Comment:        If you see addresses starting with a "0." in logs they are probably in use on your network, which might be as small as a computer connected to a home gateway.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card