Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
1
Replies

Unused IP addresses attack 3rd parties

Nikolaos Milas
Level 1
Level 1

‎12-02-2014 04:16 AM - edited ‎03-10-2019 12:19 AM

Hello,

We are having a strange situation where (used and) unused (!) public addresses belonging to our network attack 3rd parties.

The specific network is as follows.

                                                WiFi5 -- WiFi6 -- SW11 (CE500-24TT)
                                                  |
                                                  |
       /--- <vlan 2> -- WiFi1 -- WiFi2 -- SW10 (SG300-10) -- WiFi3 -- WiFi4 -- R1 (Router 3640)
       |
       |
R0 (Router 3825) -- <vlan 1> -- SW0 (C2960-24TT-L) -- SW1 (C2950T-24)
                                 |
                                 |
                        SW2 (C2950T-24) -- SW3 (C2960CG-8TC-L) -- SW4 (SG300-28)


All the above devices use public admin IP addresses from two fragments of a public Class C subnet which has been split in multiple parts.

Wireless Links WiFi1--WiFi2, WiFi3--WiFi4, WiFi5--WiFi6 are high distance bridges implemented with Motorola equipment.

A part of vlan2 Switches/Wireless Routers remained exposed to the Internet for some days with public admin IPs (i.e. it was accessible from the Internet, whereas we normally prohibit access using ACLs).

I don't know if this was the cause of the security issue we are facing: We are watching (through Netflow monitoring) a high number of outgoing flows, which consist of attacks from IP Addresses of the whole Class C subnet (used or unused!) to addresses abroad (mainly to China), mainly to ports 22, 80, 7000.

The most strange aspect of the attack is that many of these flows originate from IP addresses which are unused! No ARP or MAC entries exist for these addresses.

I thought that hacking to one of the exposed Switches/Wireless Routers might have been the source of the issue, so we blocked access and eventually we shut vlan2 down. Before that, we examined all these devices and we did not find any visible signs of hacking (config changes / password changes / new accounts, etc.).

However, we continued to see the same behavior, until we rebooted SW0 and we are currently see no such traffic, although we are worried that it will start again.

We have the following questions:

  1. Can someone understand/explain what may have really happened?
  2. We are suspecting that, if Switches have not been hacked, some endpoint (node) may have been hacked and be causing this traffic. Is there a way we can monitor the number of outgoing flows per port on switches, to be able to identify a port (and an associated connected device) that causes the traffic?
  3. Is it possible that a Cisco Switch may run malware? Where/how should we look for it?
  4. Can you please suggest any other actions we should take (investigative commands to run, etc)?
  5. Can you suggest related documentation?

Thanks in advance,

Nick

Labels:
0 Helpful
1 Reply 1

Nikolaos Milas
Level 1
Level 1

‎12-16-2014 12:43 AM

We found what was happening and I post here for everyone's reference.

A workstation (running an old version of fedora) had been hacked and was attacking the Internet using IP spoofing. It was automatically using IP Addresses from all the public Class-C network to which its own IP Address belonged.

So, not any part of the network infrastructure had been hacked, but the source of the attack was difficult to locate.

Regards,

Nick

0 Helpful
Customers Also Viewed These Support Documents