Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Strange traffic from the soup of the internet

Hi everybody,

thanks for a great forum and ressource!

Our syslogs recently started showing a specific spoof getting dropped by one of our main firewalls, an ASA.

"Deny IP spoof from (0.0.4.0) to <removed public ip> on interface outside"

While no harm is done since the traffic is dropped, i still wonder... It has been going on for quite a while now and with a frequency of maybe 40 or 50 times a minute i figure its not going to stop any time soon.

What would you guys do about something like this?

Thanks.

Cheers

5 REPLIES
New Member

Strange traffic from the soup of the internet

hi

I think ,if you have edge router faceing internet put  acl for that..

Thanks

Pranesh

New Member

Strange traffic from the soup of the internet

Hi Pranesh,

thanks. Yeah i did, its just my curious nature i guess that makes me want to investigate further. Has anyone ever followed up on something like this by maybe contacting the provider? Would that do any good?

Cheers

Re: Strange traffic from the soup of the internet

hi,

make a WHOIS on the IP address and report to the ISP spam/abuse support email.

ISP will notify to the corresponding IP owner to scan and fix for any malicious activity.

there are free web tools to check on WHOIS database.

New Member

Strange traffic from the soup of the internet

Hi johnlloyd_13,

yeah but the source address in this case is a special use address apparantly 0.0.4.0. Here is a snippet from the whois i pulled off of it:

"

Comment:        The address 0.0.0.0 may only be used as the address of an outgoing packet when a computer is learning which IP address it should use.  It is never used as a destination address.  Addresses starting with "0." are sometimes used for broadcasts to directly connected devices.

"

So unless my ISP has added a new (and seriously misconfigured) device somewhere, i wont be getting anywhere with that. And if this isnt from me ISP how does that kind of traffic even get across the internet?

Dont anybody past my rented black fiber filter traffic in anyway? Would an ISP allow a customer to initiate traffic not sourced from that customers own ip address / range?

Cheers

Re: Strange traffic from the soup of the internet

hi,

there's a comment which also says it could be in your LAN or perhaps someone VPN'd and spoofed.

Comment:        If you see addresses starting with a "0." in logs they are probably in use on your network, which might be as small as a computer connected to a home gateway.

144
Views
0
Helpful
5
Replies
CreatePlease login to create content