Unusual UDP broadcast traffic from Cisco Router

Unanswered Question
Jun 19th, 2009
User Badges:

We have a Juniper Firewall with the following:


Eth0/1 Trust (LAN) - 192.168.1.0/24

Eth1/0 DMZ - 172.20.0.0/28

Eth1/1 DMZ2 - 172.30.0.0/27


There is a Cisco Router on 192.168.1.200


We are seeing lot of IP Spoofing Traffic on the Juniper Firewall. On Investigation, we find that there is Broadcast traffic from 172.30.0.2, 3 & 4 to 172.30.0.31 on ports 137 & 138. This occurs in random sequence, but at regular intervals. However, the reason why it is IP Spoofing, because this traffic is generated from the trust zone (i.e. 192.168.1.0 side. When we did a packet trace, we found that the MAC on the Source IPs (172.30.0.2-4) was that of the Cisco Router. Cisco Router is connecting the Branch office (192.100.100.0/24) to HO. Cisco Router has static routes of 172.20.0.0 & 172.30.0.0 to allow BO PCs to access Servers in the DMZs. We need to further investigate and find the source of this Broadcast traffic. My query is, as I am not too familiar with the debug commands on the Cisco Router, how do I capture packets on Cisco Router, filtered on Source or Destination IP/Port. Also need further help in resolving the issue. Thanks in advance for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Sat, 06/20/2009 - 09:34
User Badges:
  • Cisco Employee,

Hi,


137&138 ports are used to transport Netbios over IP.


172.30.0.31 is what we call a directed broadcast and are filtered by default since 12.0:


http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_udpfwd_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054543


You can verify if directed broadcast is enabled or not with the show ip interface:


Router# show ip interface g 0/3



GigabitEthernet0/3 is up, line protocol is up


Internet address is 10.1.1.1/16

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

...


It will not help you to identify which machine is generating this traffic but it will help to explain why the router is forwarding it.


If you have only one site behind the router, you should sniff the traffic on the LAN of this site directly. If there is a WAN connection used by this site to join the HO, capturing the traffic on the router will not help to identify the hosts.


HTH


Laurent.


ajay_dand Sat, 06/20/2009 - 20:19
User Badges:

Thanks Laurent. I have disabled IP Directed Broadcast on the Router Interface facing the Firewall. Still I see the broadcast traffic on the firewall. The idea to look at the traffic inside the router was to confirm that the origin of the traffic was indeed from the BO. Moreover, it was to broaden the understanding of how the internals of the router function. The Router in question is Cisco 1721 and IOS 12.4(1c).

scottmac Sun, 06/21/2009 - 07:25
User Badges:
  • Green, 3000 points or more

AS a quick note, remember that the MAC of all traffic originating from that interface of that router will bear that interface's MAC address, regardless of the source IP address.


In order to track it back, you need to follow the source IP, and go interface-to-interface on the MAC (a show ip arp will give you an address-to-MAC map).


Every span will change the MAC to the source interface's MAC, but the source IP should be the same (although if it is an attack, it can be manipulated).


Good Luck

ajay_dand Mon, 06/22/2009 - 00:22
User Badges:

Thanks Scott. That the Cisco Router is not the originator of the spoofing traffic, is understood. However, I would like to peek into the traffic on the router, to trace the track of the traffic. What is unusual is that the source IP 172.30.x.x should not be seen from this zone. I just need to ascertain from the router, whether the traffic originates form the 192.100.100.x network or 192.168.1.x. Guess I need to capture traffic on the LAN segment to do that. I was hoping the Cisco Router would present me an easier way to find out.

Laurent Aubert Mon, 06/22/2009 - 05:10
User Badges:
  • Cisco Employee,

Hi,


You can capture transit packets on the router but it has serious performance impact as you first need to fallback to process switching so it's at your own risk.


Laurent.

Actions

This Discussion