06-06-2007 10:13 AM - edited 03-11-2019 03:26 AM
I recently turned the Firewall Feature set on for one of our remote sites that previously had only PAT for security. We are seeing about 1600 attempts an hour to access the PAT address on TCP and UDP port 15687. Anyone have any idea what is going on? Thanks!
Also, if anyone has any ideas on how to track this down, I would appreciate it.
06-12-2007 10:24 AM
You can make use of this document
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
06-14-2007 11:18 AM
Thanks! Good document. At this point, I am really interested in knowing what this traffic is. It has been continuing steady for 2 weeks.
Also, as a followup question. I put an outbound ACL that just logs traffic on tcp/udp port 15687. Oddly enough, what is showing up in the logs is traffic to UDP Port 0. Since I am not logging traffic on Port 0, I am curious why it is being logged. Any ideas? Is it an IOS ACL bug or a reporting bug?
Thx!
06-14-2007 11:27 AM
Barry
The most common cause of the log messages reporting UDP (or TCP) port 0 is that the access list is checking IP addresses but is not specifically checking ports. In essence if the ACL is not checking ports then it can not report ports (if the ACL only specifies to look in the layer 3 header, then it has no idea what is in the layer 4 header and can not report the value of the port).
Could you post the syntax of the ACL and how it is assigned to the interface?
HTH
Rick
06-15-2007 05:50 AM
Here is the ACL. It is applied to the inside GI0/1 int:
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any any eq 15687 log
access-list 106 permit udp any any eq 15687 log
access-list 106 remark Auto generated by SDM for NTP (123) 10.0.0.2
access-list 106 permit udp host 10.0.0.2 eq ntp host 10.5.0.1 eq ntp
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
Here is the results:
#sh access-l 106
Extended IP access list 106
10 permit tcp any any eq 15687 log (237 matches)
20 permit udp any any eq 15687 log (2791208 matches)
30 permit udp host 10.0.0.2 eq ntp host 10.5.0.1 eq ntp
40 deny ip host 255.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 permit ip any any (57949244 matches)
What I am asking about now is that almost all of the UDP hits show up in the syslog as going to Port 0 rather than 15687. Here is a sample from the Syslog:
Jun 14 00:32:01.901: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.110.209.162(0), 1 packet
Jun 14 00:36:17.861: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 218.80.169.234(0), 1 packet
Jun 14 00:36:26.405: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.110.209.162(0), 1 packet
Jun 14 00:48:08.714: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 125.238.37.228(0), 1260 packets
Jun 14 00:57:17.405: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.103.6.131(0), 1 packet
Jun 14 01:03:08.699: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 202.103.6.131(0), 7413 packets
Jun 14 01:03:08.699: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.22(0) -> 60.21.101.94(0), 1375 packets
06-15-2007 06:05 AM
Barry
Thanks for posting the additional information. This is very odd. Certainly the access list is examining port numbers and the log messages should have the port numbers instead of reporting zeros. Are there any entries in syslog where it is reporting port numbers for UDP or is every entry reporting zeros?
I have seen situations where the action of the router was different from what is in running config. I have especially seen some situations where the router action reflected something that had been previously configured, the configuration changed, but the behavior seems to still reflect the old configuration. Would it be possible to save the config, reboot the router, and see if the behavior changes? If not would it be possible to copy the access list to a text file, delete the access list in the config, and paste the access list back into the config from the text file?
HTH
Rick
06-15-2007 06:18 AM
I think it is pretty odd too! The syslog does contain logs for actual traffic to port 15687. Here is an example:
Jun 13 00:35:00.486: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.17(15687) -> 59.60.9.68(15687), 1 packet
It is a bit of a mystery, but thought someone might have seen something similar with this on Port 0. The real question though is what is all the Inbound traffic attempts on port 15678 (not shown in these ACLs or syslogs)? The volume is about 1600 attempts an hour (not enough for DOS). My guess is that it is some kind of gaming program with a way of seeing who else is online so the users can invite them to play. I would like to verify that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide