TCP/UDP Port 15687 Attack?

Unanswered Question
Jun 6th, 2007

I recently turned the Firewall Feature set on for one of our remote sites that previously had only PAT for security. We are seeing about 1600 attempts an hour to access the PAT address on TCP and UDP port 15687. Anyone have any idea what is going on? Thanks!

Also, if anyone has any ideas on how to track this down, I would appreciate it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Tue, 06/12/2007 - 10:24

You can make use of this document

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

bbeal Thu, 06/14/2007 - 11:18

Thanks! Good document. At this point, I am really interested in knowing what this traffic is. It has been continuing steady for 2 weeks.

Also, as a followup question. I put an outbound ACL that just logs traffic on tcp/udp port 15687. Oddly enough, what is showing up in the logs is traffic to UDP Port 0. Since I am not logging traffic on Port 0, I am curious why it is being logged. Any ideas? Is it an IOS ACL bug or a reporting bug?

Thx!

Richard Burts Thu, 06/14/2007 - 11:27

Barry

The most common cause of the log messages reporting UDP (or TCP) port 0 is that the access list is checking IP addresses but is not specifically checking ports. In essence if the ACL is not checking ports then it can not report ports (if the ACL only specifies to look in the layer 3 header, then it has no idea what is in the layer 4 header and can not report the value of the port).

Could you post the syntax of the ACL and how it is assigned to the interface?

HTH

Rick

bbeal Fri, 06/15/2007 - 05:50

Here is the ACL. It is applied to the inside GI0/1 int:

access-list 106 remark auto generated by SDM firewall configuration

access-list 106 remark SDM_ACL Category=1

access-list 106 permit tcp any any eq 15687 log

access-list 106 permit udp any any eq 15687 log

access-list 106 remark Auto generated by SDM for NTP (123) 10.0.0.2

access-list 106 permit udp host 10.0.0.2 eq ntp host 10.5.0.1 eq ntp

access-list 106 deny ip host 255.255.255.255 any

access-list 106 deny ip 127.0.0.0 0.255.255.255 any

access-list 106 permit ip any any

Here is the results:

#sh access-l 106

Extended IP access list 106

10 permit tcp any any eq 15687 log (237 matches)

20 permit udp any any eq 15687 log (2791208 matches)

30 permit udp host 10.0.0.2 eq ntp host 10.5.0.1 eq ntp

40 deny ip host 255.255.255.255 any

50 deny ip 127.0.0.0 0.255.255.255 any

60 permit ip any any (57949244 matches)

What I am asking about now is that almost all of the UDP hits show up in the syslog as going to Port 0 rather than 15687. Here is a sample from the Syslog:

Jun 14 00:32:01.901: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.110.209.162(0), 1 packet

Jun 14 00:36:17.861: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 218.80.169.234(0), 1 packet

Jun 14 00:36:26.405: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.110.209.162(0), 1 packet

Jun 14 00:48:08.714: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 125.238.37.228(0), 1260 packets

Jun 14 00:57:17.405: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.103.6.131(0), 1 packet

Jun 14 01:03:08.699: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.103.6.131(0), 7413 packets

Jun 14 01:03:08.699: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 60.21.101.94(0), 1375 packets

Richard Burts Fri, 06/15/2007 - 06:05

Barry

Thanks for posting the additional information. This is very odd. Certainly the access list is examining port numbers and the log messages should have the port numbers instead of reporting zeros. Are there any entries in syslog where it is reporting port numbers for UDP or is every entry reporting zeros?

I have seen situations where the action of the router was different from what is in running config. I have especially seen some situations where the router action reflected something that had been previously configured, the configuration changed, but the behavior seems to still reflect the old configuration. Would it be possible to save the config, reboot the router, and see if the behavior changes? If not would it be possible to copy the access list to a text file, delete the access list in the config, and paste the access list back into the config from the text file?

HTH

Rick

bbeal Fri, 06/15/2007 - 06:18

I think it is pretty odd too! The syslog does contain logs for actual traffic to port 15687. Here is an example:

Jun 13 00:35:00.486: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.17(15687) -> 59.60.9.68(15687), 1 packet

It is a bit of a mystery, but thought someone might have seen something similar with this on Port 0. The real question though is what is all the Inbound traffic attempts on port 15678 (not shown in these ACLs or syslogs)? The volume is about 1600 attempts an hour (not enough for DOS). My guess is that it is some kind of gaming program with a way of seeing who else is online so the users can invite them to play. I would like to verify that.

Actions

This Discussion