Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
1
Replies

Unknown subnet in port scanner

fgasimzade
Level 4
Level 4

‎01-09-2020 11:26 PM

Hello,

We were scanning our network and found a strange subnet, which we dont have in our network

The subnet is 10.0.1.0/24 and there are some ports open on some IPs, for example 80

We started to dig deeper and found 3 mac addresses, associated with all the IPs in the subnet:

0007.b400.0202

0007.b400.0201

0008.e3ff.fd90

First two MAC addresses are pointing to our two Cisco 2951 routers to interfaces with GLBP enabled

The third MAC is located on our Cisco 4500x with VSS and pointing to all vlan interfaces

 

There are no routes to this subnet on the routers and 4500x. Traceroute is going to the Internet. They are not pingable, but we can telnet on port 80

Reply is:

HTTP/1.1 400 Bad Request
Date: Fri, 10 Jan 2020 06:52:48 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

We can also telnet port 80 to the router's IP, which this 0007.b400.0202 is pointing to with the same reply.

 

Do you have any thoughts on this? Is it some kind of a bug/misconfiguration in IOS?

Thank you

 

 

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎01-10-2020 01:35 AM

Hello,

 

hard to say, it could very well be some sort of address spoofing attempt or DDOS attack (attempt). It might be a good idea to block RFC1918 addresses using an access list and apply it to the outside interface:

 

access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255

access-list 101 permit ip your_network any

0 Helpful
Customers Also Viewed These Support Documents