cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1381
Views
0
Helpful
3
Replies

0.0.0.0 src port 0 traffic

bryantsteve
Level 1
Level 1

This is syslog output from an access list  on a 2820 router with an IPS mdoule installed.  I have applied inbound from a private 10.x.x.x network. These are being generated approx every 10 minues in gruops of approx 10 packets

Mar 24 14:51:39.676 UTC: %SEC-6-IPACCESSLOGP: list xxxin denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet

Could someone offer me some suggestions as to what type of traffic this might be?

3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

It looks like illegit traffic.

If it was port 67, 68 it could be dhcp.

But now it looks suspicious.

Try to capture it with a capture to see if these packets really travel through the wire and then try to track them dowing following the mac addresses.

I hope it helps.

PK

This appears to be land attack. http://www.pcmag.com/encyclopedia_term/0,2542,t=land+attack&i=45907,00.asp

You can read here to mitigate this on the firewall: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

For the device in question you probably have to span the port on the switch and find out the MAC address that may be sending this traffic and address why.

-KS

bryantsteve
Level 1
Level 1

Yes I will have to put a packet

sniffer on  to find the mac address, thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: