09-03-2015 06:12 PM - edited 03-05-2019 02:14 AM
Dear Sirs.
we have a router cisco 2911/k9 with IOS 15.0(1)M6 directly connected to a subnet 10.110.0.0/24
but is routing by itself an internal traffic with a source address 10.39.4.0/24.
this segment 10.39.4.0 is propagated to other remote routers generating anomalous traffic to internet and internal servers.
this anomalous trafic is using protocolo and port number:
can somebody tell me if we are in front of an attack at router?
waiting your sooner answer.
Roger Majo
09-03-2015 06:16 PM
09-03-2015 06:23 PM
Leo.
i am sorry I do not understand your question o request.
this anomalous segment is originated in a router cisco 2911/k9 I think by itself.
the network segment 10.39.4.0 /24 is not connected to the LAN interface.
this traffic is present at real time in many other routers but we have detected the origen at cisco router 2911/k9.
what information do you need?
what kind of test do your recommend to overcomes this problem?
Attn.
Roger Majo
09-04-2015 03:42 AM
"this segment 10.39.4.0 is propagated to other remote routers"
Do you mean packets ? Or do you mean that this subnet it's propagated through a routing protocol to other routers ?
In the first case it could be spoofed ip traffic or just a misconfigured host. Did you try to check the MAC address and then check on your switch which is the port associated with that MAC ?
In case of ip spoofing uRPF could help.
Bye,
enrico
PS: please rate if useful
09-04-2015 07:32 AM
Hi Enrico.
I mean packets that are propagated to other remote routers and internet.
For example, in the LAN interface of this router I see coming paquets from 10.39.4.3 making ping (2040 icmp) to the following ip addresses:
when I make ping to the ip address: 10.39.4.3 it does not response.
the command sh arp does not show nothing.
these paquets are propagated at this moment to only three remote branches.
we have determined the source of these paquets and this is the router 2911/k9 locates in a branch office with a lan segment: 10.110.x.y/16.
in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24.
I have made ping test to this address, then sh arp to determine tha mac-address but does not appear nothing. at switches does not appear nothing also.
If this is the case of ip spoofing uRPF, can you tell me what can I do, please?
tha paquets with a source address 10.39.4.x are using a source port number "0".
please see the attached file.
waiting your sooner answer.
attn.
Roger Majo
09-05-2015 06:21 AM
Hi,
"in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24." this is not surprising, not all packet routed form a router are locally originated; the point is: is this subnet part of your network or not ? If not, probably this is a spoofed packet
did you try to use netflow layer 2 and security feature ? It could help you to find the source of tis packet: have a look here:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.html
uRPF it's a feature useful in case of spoofed ip traffic; it checks if the incoming interface of an ip packet is the output interface used to forward packet to that network http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/15-mt/sec-data-urpf-15-mt-book/cfg-unicast-rpf.html
enrico
09-04-2015 07:40 AM
Enrico.
I have found this link associated with this type of anomalous traffic thst is using the protocolo and port:
ldap (389 tcp)
ldap (389 udp)
http://tools.cisco.com/security/center/viewAlert.x?alertId=30573
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=30519
https://technet.microsoft.com/library/security/ms13-sep
https://technet.microsoft.com/library/security/ms13-079
can you tell me if this anomalous traffic is associated with this type of attack?
waiting your sooner answer.
attn.
Roger Majo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide