Hi,I didn't read all the

ROGER FERNANDO MAJO ZACARIAS · ‎09-03-2015

Dear Sirs.

we have a router cisco 2911/k9 with IOS 15.0(1)M6 directly connected to a subnet 10.110.0.0/24

but is routing by itself an internal traffic with a source address 10.39.4.0/24.

this segment 10.39.4.0 is propagated to other remote routers generating anomalous traffic to internet and internal servers.

this anomalous trafic is using protocolo and port number:

ldap (389 tcp)
undefined (15880 tcp)

can somebody tell me if we are in front of an attack at router?

waiting your sooner answer.

Roger Majo

Leo Laohoo · ‎09-03-2015

Duplicate thread.

Go HERE.

ROGER FERNANDO MAJO ZACARIAS · ‎09-03-2015

Leo.

i am sorry I do not understand your question o request.

this anomalous segment is originated in a router cisco 2911/k9 I think by itself.

the network segment 10.39.4.0 /24 is not connected to the LAN interface.

this traffic is present at real time in many other routers but we have detected the origen at cisco router 2911/k9.

what information do you need?

what kind of test do your recommend to overcomes this problem?

Attn.

Roger Majo

e.ciollaro · ‎09-04-2015

"this segment 10.39.4.0 is propagated to other remote routers"

Do you mean packets ? Or do you mean that this subnet it's propagated through a routing protocol to other routers ?

In the first case it could be spoofed ip traffic or just a misconfigured host. Did you try to check the MAC address and then check on your switch which is the port associated with that MAC ?

In case of ip spoofing uRPF could help.

Bye,

enrico

PS: please rate if useful

ROGER FERNANDO MAJO ZACARIAS · ‎09-04-2015

Hi Enrico.

I mean packets that are propagated to other remote routers and internet.

For example, in the LAN interface of this router I see coming paquets from 10.39.4.3 making ping (2040 icmp) to the following ip addresses:

8.8.8.8 (this is a public address)
10.72.1.1 (this is a server localted in other remote office)
10.11.20.1 (this is a PC localted in other remote office)
10.110.200.1 (this is the default gateway of local router)

when I make ping to the ip address: 10.39.4.3 it does not response.

the command sh arp does not show nothing.

these paquets are propagated at this moment to only three remote branches.

we have determined the source of these paquets and this is the router 2911/k9 locates in a branch office with a lan segment: 10.110.x.y/16.

in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24.

I have made ping test to this address, then sh arp to determine tha mac-address but does not appear nothing. at switches does not appear nothing also.

If this is the case of ip spoofing uRPF, can you tell me what can I do, please?

tha paquets with a source address 10.39.4.x are using a source port number "0".

please see the attached file.

waiting your sooner answer.

attn.

Roger Majo

e.ciollaro · ‎09-05-2015

Hi,

I didn't read all the articles you post but the second one stated that "An attacker could exploit this vulnerability using spoofed packets.".
in attached ppt the 10.39.4.238 is the destination, not source IP address (I suppose that's traffic in a response to traffic originated by 10.39.4.238 )
"in this lan segment 10.110.x.y/16 does not exist the segment 10.39.4.x/24." this is not surprising, not all packet routed form a router are locally originated; the point is: is this subnet part of your network or not ? If not, probably this is a spoofed packet
did you try to use netflow layer 2 and security feature ? It could help you to find the source of tis packet: have a look here:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.html
uRPF it's a feature useful in case of spoofed ip traffic; it checks if the incoming interface of an ip packet is the output interface used to forward packet to that network http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_urpf/configuration/15-mt/sec-data-urpf-15-mt-book/cfg-unicast-rpf.html

enrico