Strange trafffic between router and ADSL modem

Unanswered Question
Nov 29th, 2008

We have a network with a Catalyst 500 switch and a 871 Ethernet router. The router has been configured ,with SDM, a SDM default medium security firewall. We observe that there is continuous traffic between the router and the internet(DSL modem). I don't see this traffic on any of the hosts. The firewall is moderately active filtering incoming traffic, but the logging that I have been able to set up does not show the activity that i see on the router and modem front panels. Could this be an indication that the router is infected?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tcordier Mon, 12/01/2008 - 08:31

It is unlikely that the router is infected, and I have not heard yet of a virus that did infect a router. There are exploits and bugs which could cause the router to generate unwanted traffic, but not infect it. The first step would be to identify the traffic you are worried about. There could be legitimate traffic, or at least non-threatening, between the Internet and your router which you would not see on the hosts (e.g. NTP, DHCP, or the router responding to ping echo requests).

I would start with enabling IP accounting (step 1 below) on the WAN interface, and if you see source-destination IP address-pairs which you can not explain, I would try to debug these IP addresses in detail by setting up an access-list and debugging using this access list (step 2 below).

1) Configure on the WAN interface

Then, use to view the output.

2) Configure an access-list:

access-list 101 permit ip

and debug:

debug ip packet detail 101

From the debug output you should be able to see what protocol is used, and you can find more details on the nature and volumne of the traffic, and whether it is malicious ot nor.

HTH, Thomas

Actions

This Discussion