03-24-2010 08:23 AM - edited 03-11-2019 10:25 AM
This is syslog output from an access list on a 2820 router with an IPS mdoule installed. I have applied inbound from a private 10.x.x.x network. These are being generated approx every 10 minues in gruops of approx 10 packets
Mar 24 14:51:39.676 UTC: %SEC-6-IPACCESSLOGP: list xxxin denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet
Could someone offer me some suggestions as to what type of traffic this might be?
03-24-2010 02:40 PM
It looks like illegit traffic.
If it was port 67, 68 it could be dhcp.
But now it looks suspicious.
Try to capture it with a capture to see if these packets really travel through the wire and then try to track them dowing following the mac addresses.
I hope it helps.
PK
03-24-2010 04:02 PM
This appears to be land attack. http://www.pcmag.com/encyclopedia_term/0,2542,t=land+attack&i=45907,00.asp
You can read here to mitigate this on the firewall: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
For the device in question you probably have to span the port on the switch and find out the MAC address that may be sending this traffic and address why.
-KS
03-25-2010 08:30 AM
Yes I will have to put a packet
sniffer on to find the mac address, thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: