suspicious traffic

pgamage · ‎07-27-2012

We have 1M serial link. we noticed 1M up / down traffic. then we disconnected all LAN ports leaving only this serial link up. still we see 1M up/down traffic.

debug ip packet shows incomming and out going traffic.

How do we solve this porblem?

Please help.

John Blakley · ‎07-28-2012

Were you able to determine what port the traffic is trying to connect to? You should determine if it's the same source address trying to connect to the same port, or if it's different source addresses trying to connect to the same port or even different ports. This could be an indication of a DoS attempt or it could possibly be legitimate traffic. It's really hard to tell without having additional information.

HTH,

John

HTH, John *** Please rate all useful posts ***

pgamage · ‎07-28-2012

Debug ip packet shows 2 outbound packet originated from serial link IP, then 3 inbound packets come to the inside global NAT address.

This pattern repeats again and again. I don't understand how router generate this outbound traffic with source address of the serial interface.

Inbound - Internet IP to Inside Global NAT IP(66.66.66.66)

Outboud - Serial Interface(55.55.55.55) IP to Internet

Inbound

Jul 28 01:52:02.951: IP: s=66.150.8.24, d=66.66.66.66, pak 296A9B9C consumed in input feature , packet consumed, MCI

Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.259: IP: s=66.150.8.20 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.259: IP: s=66.150.8.20 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Outbound

Jul 28 01:52:03.259: IP: s=55.55.55.55 (local), d=66.150.8.20 (Serial0/0/0), len 56, sending

Jul 28 01:52:03.259: IP: s=55.55.55.55 (local), d=66.150.8.20 (Serial0/0/0), len 56, sending full packet

Inbound

Jul 28 01:52:03.259: IP: s=66.150.8.20, d=66.66.66.66, pak 296A96E0 consumed in input feature , packet consumed, MCI

Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.603: IP: s=66.150.8.24 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.603: IP: s=66.150.8.24 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Outbound

Jul 28 01:52:03.603: IP: s=55.55.55.55 (local), d=66.150.8.24 (Serial0/0/0), len 56, sending

Jul 28 01:52:03.603: IP: s=55.55.55.55 (local), d=66.150.8.24 (Serial0/0/0), len 56, sending full packet

Inbound

Jul 28 01:52:03.603: IP: s=66.150.8.24, d=66.66.66.66, pak 2818D854 consumed in input feature , packet consumed, MCI

Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.611: IP: s=66.150.8.32 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.611: IP: s=66.150.8.32 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Outbound

Jul 28 01:52:03.611: IP: s=55.55.55.55 (local), d=66.150.8.32 (Serial0/0/0), len 56, sending

Jul 28 01:52:03.611: IP: s=55.55.55.55 (local), d=66.150.8.32 (Serial0/0/0), len 56, sending full packet

Inbound

Jul 28 01:52:03.611: IP: s=66.150.8.32, d=66.66.66.66, pak 296AA058 consumed in input feature , packet consumed, MCI

Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.915: IP: s=66.150.8.20 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jul 28 01:52:03.915: IP: s=66.150.8.20 (Serial0/0/0), d=66.66.66.66, len 32, input feature, Virtual Fragment Reassemb

ly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Outbound

Jul 28 01:52:03.915: IP: s=55.55.55.55 (local), d=66.150.8.20 (Serial0/0/0), len 56, sending

Jul 28 01:52:03.915: IP: s=55.55.55.55 (local), d=66.150.8.20 (Serial0/0/0), len 56, sending full packet

pgamage · ‎07-28-2012

There is a clear pattern.

Router recieve this

s=66.150.8.20 d=66.66.66.66 and replies with

s=55.55.55.55 d=66.150.8.20

Is router sending some message towards the soruce?

Formatted text of previous posting is like this.

In

s=66.150.8.24 d=66.66.66.66

s=66.150.8.20 d=66.66.66.66

Out

s=55.55.55.55 d=66.150.8.20

In

s=66.150.8.20 d=66.66.66.66

s=66.150.8.24 d=66.66.66.66

Out

s=55.55.55.55 d=66.150.8.24

In

s=66.150.8.24 d=66.66.66.66

s=66.150.8.32 d=66.66.66.66

Out

s=55.55.55.55 d=66.150.8.32

In

s=66.150.8.32 d=66.150.8.32

s=66.150.8.20 d=66.150.8.32

out

s=55.55.55.55 d=66.150.8.20