Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Has Anyone Seen This . . .

On Monday our network was severely degraded. The inside of our firewall was getting hammered by thousands of UDP packets (port number 445) with a source and destination address of

We isolated the router that was forwarding the packets and rebooted it. Unfortunately we did not have enough time to deploy to the remote site and put a sniffer on the network to help us further isolate the originating device. Upon doing so the traffic stopped. However, I?m skeptical that this actually fixed the problem. I suspect that it?s a virus and will return and start flooding my network again. I?m also at a loss as to why the router was even forwarding traffic to the gateway router and eventually on to the firewall as the should never by propagated.

Has anyone ever seen this problem or know what might have caused it. Unfortunately our local Cisco engineer was also at a loss.


Re: Has Anyone Seen This . . .

This is one of the reasons you filter at the edge facing internet..

access-list 110 deny ip any

access-list 110 deny ip any

access-list 110 deny ip any

access-list 110 deny ip host any

Here you find examples of guidelines protection.

If this is something that had happened from the inside, after finding out the source system then you would have to block that udp port through an acl at the paramter where is coming from as a temporary measure until you spot/fix that system. Then remove the acl if no longer is a thread.



Community Member

Re: Has Anyone Seen This . . .


Thanks for the response. It was definately coming from inside my network. I've got an access list blocking the network and UDP port 445 on my Internal 7206 router. I'm also logging hits against the ACL. Over the last two days I have not seen any hits.

What I'm confused by is what would cause this? Do you know of an existing virus with similar symptoms?

Re: Has Anyone Seen This . . .

Actually as I recall, I have heard of this from another colleage few years ago in another company, it turned out a client-pc infected with a virus accessing a sql server..

I found the email.. but no link, so here is a thread of the information.. although it indicates tcp but there may be another using udp.. check in Symantec for any info.


The CERT/CC is receiving reports of widespread activity related to a

new piece of malicious code known as W32/Blaster. This worm appears to

exploit known vulnerabilities in the Microsoft Remote Procedure Call

(RPC) Interface.

I. Description

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC

interface as described in VU#568148 and CA-2003-16. Upon successful

execution, the worm attempts to retrieve a copy of the file

msblast.exe from the compromising host. Once this file is retrieved,

the compromised system then runs it and begins scanning for other

vulnerable systems to compromise in the same manner. In the course of

propagation, a TCP session to port 135 is used to execute the attack.

However, access to TCP ports 139 and 445 may also provide attack

vectors and should be considered when applying mitigation strategies.

Microsoft has published information about this vulnerability in

Microsoft Security Bulletin MS03-026.

Lab testing has confirmed that the worm includes the ability to launch

a TCP SYN flood denial-of-service attack against We

are investigating the conditions under which this attack might

manifest itself. Unusual or unexpected traffic to

may indicate an infection on your network, so you may wish to monitor

network traffic.

Sites that do not use to manage patches may wish to

block outbound traffic to In practice, this may be

difficult to achieve, since may not resolve to the

same address every time. Correctly blocking traffic to will require detailed understanding of your network

routing architecture, system management needs, and name resolution

environment. You should not block traffic to without

a thorough understanding of your operational needs.

We have been in contact with Microsoft regarding this possibility of

this denial-of-service attack.

II. Impact

A remote attacker could exploit these vulnerabilities to execute

arbitrary code with Local System privileges or to cause a

denial-of-service condition.

bjw Silver

Re: Has Anyone Seen This . . .

Port 445 is a frequent target of bad guys.


Re: Has Anyone Seen This . . .

In Bjw's link is all there, good info..

CreatePlease to create content