Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

0.0.0.0 src port 0 traffic

This is syslog output from an access list  on a 2820 router with an IPS mdoule installed.  I have applied inbound from a private 10.x.x.x network. These are being generated approx every 10 minues in gruops of approx 10 packets

Mar 24 14:51:39.676 UTC: %SEC-6-IPACCESSLOGP: list xxxin denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet

Could someone offer me some suggestions as to what type of traffic this might be?

3 REPLIES
Cisco Employee

Re: 0.0.0.0 src port 0 traffic

It looks like illegit traffic.

If it was port 67, 68 it could be dhcp.

But now it looks suspicious.

Try to capture it with a capture to see if these packets really travel through the wire and then try to track them dowing following the mac addresses.

I hope it helps.

PK

Cisco Employee

Re: 0.0.0.0 src port 0 traffic

This appears to be land attack. http://www.pcmag.com/encyclopedia_term/0,2542,t=land+attack&i=45907,00.asp

You can read here to mitigate this on the firewall: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

For the device in question you probably have to span the port on the switch and find out the MAC address that may be sending this traffic and address why.

-KS

New Member

Re: 0.0.0.0 src port 0 traffic

Yes I will have to put a packet

sniffer on  to find the mac address, thanks

1026
Views
0
Helpful
3
Replies
CreatePlease to create content