On Monday our network was severely degraded. The inside of our firewall was getting hammered by thousands of UDP packets (port number 445) with a source and destination address of 127.0.0.1.
We isolated the router that was forwarding the packets and rebooted it. Unfortunately we did not have enough time to deploy to the remote site and put a sniffer on the network to help us further isolate the originating device. Upon doing so the traffic stopped. However, I?m skeptical that this actually fixed the problem. I suspect that it?s a virus and will return and start flooding my network again. I?m also at a loss as to why the router was even forwarding traffic to the gateway router and eventually on to the firewall as the 127.0.0.1 should never by propagated.
Has anyone ever seen this problem or know what might have caused it. Unfortunately our local Cisco engineer was also at a loss.
If this is something that had happened from the inside, after finding out the source system then you would have to block that udp port through an acl at the paramter where is coming from as a temporary measure until you spot/fix that system. Then remove the acl if no longer is a thread.
Thanks for the response. It was definately coming from inside my network. I've got an access list blocking the 127.0.0.0 network and UDP port 445 on my Internal 7206 router. I'm also logging hits against the ACL. Over the last two days I have not seen any hits.
What I'm confused by is what would cause this? Do you know of an existing virus with similar symptoms?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...