Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Sig 1206

I know this is shown as an information signature; however, the addresses listed are a bit odd.

My internal network

10.10.1.0

Signature 1206

Source: 60.0.209.60

Destination: 0.0.253.60

biz

3 REPLIES
New Member

Re: Sig 1206

Now I'm getting a bunch of 1208 sigs from addresses not on my network to addresses not on my network.

New Member

Re: Sig 1206

It's very possible that someone is crafting IP packets and sending them out on your network.

Another possible explanation is that there is a misconfigured device that is sending traffic to the addresses you specified.

If you use a sniffer you might be able to better track down which host it is that is doing so. You could also try to learn what the MAC address is and search for which machine is sending out the traffic by looking through the CAM tables on your switches.

-Denny

Cisco Employee

Re: Sig 1206

The 1206 alarm is for fragments that are too small, and 1208 alarm is for datagrams where not all of the fragments have been seen.

One possibility:

If 1206 fires for the 2nd or later fragment in the datagram then it is possible that the sensor has not yet seen the first fragment of the datagram. Or in the case of 1208 it may be the first fragment that was not seen by the sensor.

The sensor fills in the Source and Destination IP Addresses from the information in the first fragment. So if the first fragment is not seen then the sensor has not filled in these fields. So what happens is that sensor just grabs the junk data that was in memory and you wind up with IP Addresses that don't match real packets.

This is a bug in the sensor. The 2nd and following fragments have the source and dest ip addresses and the sensor should have been filling in those fields.

So with 1206 and 1208 it is possible to see incorrect IPs in the alarms when the first fragment is dropped or not yet seen.

Another possibility is that someone is using tcpreplay or another tool and replaying packets on the network that were collected from other networks. The replayed data may be from a network with those addresses.

So I would suggest using tcpdump or another sniffer to look for these addresses on your network. If you don't find any packets then it is most likely a first fragment dropped problem.

If you only get a few of these every now and then; it may be nothing to worry about.

If you are seeing this often then it is possible that the sensor is dropping packets.

The sensor may be oversubscribed and not be able to capture and analyze all of the packets and dropping some of the fragments.

110
Views
0
Helpful
3
Replies
CreatePlease to create content