Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
0
Helpful
6
Replies

ROUTER 2911/K9 IS GENERATING ANOMALOUS TRAFFIC BY ITSELF

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1

‎09-03-2015 06:12 PM - edited ‎03-05-2019 02:14 AM

Dear Sirs.

 

we have a router cisco 2911/k9 with IOS 15.0(1)M6 directly connected to a subnet 10.110.0.0/24

but is routing by itself an internal traffic with a source address 10.39.4.0/24.

this segment 10.39.4.0 is propagated to other remote routers generating anomalous traffic to internet and internal servers.

this anomalous trafic is using protocolo and port number:

  • ldap (389 tcp)
  • undefined (15880 tcp)

 

can somebody tell me if we are in front of an attack at router?

 

waiting your sooner answer.

 

Roger Majo

Labels:
Preview file
140 KB
0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎09-03-2015 06:16 PM

Duplicate thread. 

 

Go HERE.

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to Leo Laohoo

‎09-03-2015 06:23 PM

Leo.

 

i am sorry I do not understand your question o request.

this anomalous segment is originated in a router cisco 2911/k9 I think by itself.

the network segment 10.39.4.0 /24 is not connected to the LAN interface.

this traffic is present at real time in many other routers but we have detected the origen at cisco router 2911/k9.

what information do you need?

what kind of test do your recommend to overcomes this problem?

 

Attn.

 

Roger Majo

0 Helpful

e.ciollaro
Level 4
Level 4

‎09-04-2015 03:42 AM

"this segment 10.39.4.0 is propagated to other remote routers"

Do you mean packets ? Or do you mean that this subnet it's propagated through a routing protocol to other routers ?

 

In the first case it could be spoofed ip traffic or just a misconfigured host. Did you try to check the MAC address and then check on your switch which is the port associated with that MAC ?

 

In case of ip spoofing uRPF could help.

 

Bye,

enrico

 

PS: please rate if useful

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to e.ciollaro

‎09-04-2015 07:32 AM

Hi Enrico.

I mean packets that are propagated to other remote routers and internet.

For example, in the LAN interface of this router I see coming paquets from 10.39.4.3 making ping (2040 icmp) to the following ip addresses:

  • 8.8.8.8 (this is a public address)
  • 10.72.1.1 (this is a server localted in other remote office)
  • 10.11.20.1 (this is a PC localted in other remote office)
  • 10.110.200.1 (this is the default gateway of local router)

when I make ping to the ip address: 10.39.4.3 it does not response.

the command sh arp does not show nothing.

these paquets are propagated at this moment to only three remote branches.

we have determined the source of these paquets and this is the router 2911/k9 locates in a branch office with a lan segment: 10.110.x.y/16.

in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24.

I have made ping test to this address, then sh arp to determine tha mac-address but does not appear nothing. at switches does not appear nothing also.

If this is the case of ip spoofing uRPF, can you tell me what can I do, please?

tha paquets with a source address 10.39.4.x are using a source port number "0".

please see the attached file.

 

waiting your sooner answer.

 

attn.

 

Roger Majo

 

 

Preview file
136 KB
0 Helpful

e.ciollaro
Level 4
Level 4
In response to ROGER FERNANDO MAJO ZACARIAS

‎09-05-2015 06:21 AM

Hi,

  1. I didn't read all the articles you post but the second one stated that "An attacker could exploit this vulnerability using spoofed packets.".
  2. in attached ppt the 10.39.4.238 is the destination, not source IP address (I suppose that's traffic in a response to traffic originated by 10.39.4.238 )

  3. "in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24."  this is not surprising, not all packet routed form a router are locally originated;  the point is: is this subnet part of your network or not ? If not, probably this is a spoofed packet

  4. did you try to use netflow layer 2 and security feature ? It could help you to find the source of tis packet: have a look here:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.html

  5. uRPF it's a feature useful in case of spoofed ip traffic; it checks if the incoming interface of an ip packet is the output interface used to forward packet to that network  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/15-mt/sec-data-urpf-15-mt-book/cfg-unicast-rpf.html

 

enrico

 

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to e.ciollaro

‎09-04-2015 07:40 AM

Enrico.

 

I have found this link associated with this type of anomalous traffic thst is using the protocolo and port:

ldap (389 tcp)

ldap (389 udp)

 

http://tools.cisco.com/security/center/viewAlert.x?alertId=30573

 

http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=30519

 

https://technet.microsoft.com/library/security/ms13-sep

 

https://technet.microsoft.com/library/security/ms13-079

 

can you tell me if this anomalous traffic is associated with this type of attack?

 

waiting your sooner answer.

 

attn.

 

Roger Majo

Preview file
536 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card