src port 0 traffic

Unanswered Question
Mar 24th, 2010

This is syslog output from an access list  on a 2820 router with an IPS mdoule installed.  I have applied inbound from a private 10.x.x.x network. These are being generated approx every 10 minues in gruops of approx 10 packets

Mar 24 14:51:39.676 UTC: %SEC-6-IPACCESSLOGP: list xxxin denied udp ->, 1 packet

Could someone offer me some suggestions as to what type of traffic this might be?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 03/24/2010 - 14:40

It looks like illegit traffic.

If it was port 67, 68 it could be dhcp.

But now it looks suspicious.

Try to capture it with a capture to see if these packets really travel through the wire and then try to track them dowing following the mac addresses.

I hope it helps.


Kureli Sankar Wed, 03/24/2010 - 16:02

This appears to be land attack. http://www.pcmag.com/encyclopedia_term/0,2542,t=land+attack&i=45907,00.asp

You can read here to mitigate this on the firewall: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

For the device in question you probably have to span the port on the switch and find out the MAC address that may be sending this traffic and address why.


bryantsteve Thu, 03/25/2010 - 08:30

Yes I will have to put a packet

sniffer on  to find the mac address, thanks


This Discussion