12-02-2014 04:16 AM - edited 03-10-2019 12:19 AM
Hello,
We are having a strange situation where (used and) unused (!) public addresses belonging to our network attack 3rd parties.
The specific network is as follows.
WiFi5 -- WiFi6 -- SW11 (CE500-24TT) | | /--- <vlan 2> -- WiFi1 -- WiFi2 -- SW10 (SG300-10) -- WiFi3 -- WiFi4 -- R1 (Router 3640) | | R0 (Router 3825) -- <vlan 1> -- SW0 (C2960-24TT-L) -- SW1 (C2950T-24) | | SW2 (C2950T-24) -- SW3 (C2960CG-8TC-L) -- SW4 (SG300-28)
All the above devices use public admin IP addresses from two fragments of a public Class C subnet which has been split in multiple parts.
Wireless Links WiFi1--WiFi2, WiFi3--WiFi4, WiFi5--WiFi6 are high distance bridges implemented with Motorola equipment.
A part of vlan2 Switches/Wireless Routers remained exposed to the Internet for some days with public admin IPs (i.e. it was accessible from the Internet, whereas we normally prohibit access using ACLs).
I don't know if this was the cause of the security issue we are facing: We are watching (through Netflow monitoring) a high number of outgoing flows, which consist of attacks from IP Addresses of the whole Class C subnet (used or unused!) to addresses abroad (mainly to China), mainly to ports 22, 80, 7000.
The most strange aspect of the attack is that many of these flows originate from IP addresses which are unused! No ARP or MAC entries exist for these addresses.
I thought that hacking to one of the exposed Switches/Wireless Routers might have been the source of the issue, so we blocked access and eventually we shut vlan2 down. Before that, we examined all these devices and we did not find any visible signs of hacking (config changes / password changes / new accounts, etc.).
However, we continued to see the same behavior, until we rebooted SW0 and we are currently see no such traffic, although we are worried that it will start again.
We have the following questions:
Thanks in advance,
Nick
12-16-2014 12:43 AM
We found what was happening and I post here for everyone's reference.
A workstation (running an old version of fedora) had been hacked and was attacking the Internet using IP spoofing. It was automatically using IP Addresses from all the public Class-C network to which its own IP Address belonged.
So, not any part of the network infrastructure had been hacked, but the source of the attack was difficult to locate.
Regards,
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide