Hi, I posted this here a couple of days ago asking for advice on some unusual network traffic logged from an internal LAN. IP traffic with spoofed source and destination addresses was appearing on the inside of a FW-1 system and being dropped by rule 0. Looking further into the problem, the source MAC address of each packet appears to be that of a Cisco Local Director 416 doing HTTP load balancing for a web farm. The destination IP address mostly seem to be IANA reserved blocks, but not always (ie this one is the DOD). Both the Cisco 416 and the web farm are on private addresses and only the Cisco virtual IP is NATed to the external IP address of the web site. So now I know where the traffic is being generated from, but I`m still baffled by why it would be generated (and as to what IP Option 167, Unknown 229 bytes is). I`m unaware of any security holes in the Cisco IOS that could be exploited this way. If anyone has any ideas I`d be grateful to hear them - particularly Cisco gurus or anyone with experience of the IOS weirdness. Here is a verbose packet dump of a single packet: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 10 arrived at 15:25:47.30 ETHER: Packet size = 66 bytes ETHER: Destination = 8:0:20:c0:c7:d6, Sun ETHER: Source = 0:d0:b7:7f:17:52, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 0 IP: Header length = 24 bytes IP: Type of service = 0x01 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 52 bytes IP: Identification = 0 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 6 seconds/hops IP: Protocol = 0 (IP) IP: Header checksum = 02af IP: Source address = 118.20.165.232, 118.20.165.232 IP: Destination address = 26.39.0.0, 26.39.0.0 IP: Options: (4 bytes) IP: - Option 167 (unknown - 229 bytes) 9377C35C065D00500C9444C4D94C44C4D94C50041EAB43190000555555550000000000000000 0000000000000000FF18EC7700000001FF3DD0E40000000 0FF3A0EA0FF18EC77FF3A1EF0FF3A0EA0FF3A02FC000003AE000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000 0000000FF236D740000029800072AB0000000A60000000000055114000000000000000000015 18000000000FF IP: Any ideas appreciated. Thanks, David >> Source and destination ports appear prety random too. >> >> For example: >> >> 12:35:34 drop HOST >qfe1 proto ip service 41681 src 246.20.29.181 >> dst >> 88.170.0.0 s_port 50108 h_len 24 ip_vers 0 rule 0 >> 12:35:34 drop HOST >qfe1 proto ip service 12004 src 109.20.199.252 >> dst >> 202.208.0.0 s_port 51766 h_len 24 ip_vers 0 rule 0 >> 12:35:34 drop HOST >qfe1 proto ip service 27287 src 110.20.231.68 >> dst >> 170.136.0.0 s_port 52064 h_len 24 ip_vers 0 rule 0 >> 12:35:34 drop HOST >qfe1 proto ip service 42820 src 115.20.0.249 >> dst >> 16.89.0.0 s_port 54322 h_len 24 ip_vers 0 rule 0 >> 12:35:35 drop HOST >qfe1 proto ip service 12004 src 109.20.180.252 >> dst >> 221.208.0.0 s_port 51766 h_len 24 ip_vers 0 rule 0 >> 12:35:35 drop HOST >qfe1 proto ip service 27287 src 110.20.223.68 >> dst >> 178.136.0.0 s_port 52064 h_len 24 ip_vers 0 rule 0 >> 12:35:35 drop HOST >qfe1 proto ip service 48642 src 113.20.17.153 >> dst >> 234.242.0.0 s_port 54330 h_len 24 ip_vers 0 rule 0 >> 12:35:36 drop HOST >qfe1 proto ip service 28616 src 49.20.226.102 >> dst >> 59.75.0.0 s_port 52064 h_len 24 ip_vers 0 rule 0 >> 12:35:36 drop HOST >qfe1 proto ip service 7199 src 110.20.7.78 dst >> 138.127.0.0 s_port 49528 h_len 24 ip_vers 0 rule 0 >> 12:35:37 drop HOST >qfe1 proto ip service 33996 src 106.20.165.86 >> dst >> 240.118.0.0 s_port 49912 h_len 24 ip_vers 0 rule 0 >> 12:35:37 drop HOST >qfe1 proto ip service 7199 src 109.20.4.78 dst >> 142.127.0.0 s_port 49528 h_len 24 ip_vers 0 rule 0 >> 12:35:37 drop HOST >qfe1 proto ip service 61570 src 234.20.156.236 >> dst >> 58.210.0.0 s_port 36187 h_len 24 ip_vers 0 rule 0 >> 12:35:37 drop HOST >qfe1 proto ip service 12004 src 109.20.43.252 >> dst >> 102.209.0.0 s_port 51766 h_len 24 ip_vers 0 rule 0 >> 12:35:37 drop HOST >qfe1 proto ip service 61570 src 234.20.38.47 >> dst >> 203.163.0.0 s_port 36187 h_len 24 ip_vers 0 rule 0 >> 12:35:38 drop HOST >qfe1 proto ip service 56707 src 243.20.198.131 >> dst >> 180.226.0.0 s_port 16044 h_len 24 ip_vers 0 rule 0 >> 12:35:38 drop HOST >qfe1 proto ip service 61570 src 233.20.39.46 >> dst >> 252.196.0.0 s_port 36187 h_len 24 ip_vers 0 rule 0 >> 12:35:38 drop HOST >qfe1 proto ip service 7199 src 110.20.255.77 >> dst >> 146.127.0.0 s_port 49528 h_len 24 ip_vers 0 rule 0 >> 12:35:39 drop HOST >qfe1 proto ip service 13934 src 111.20.115.227 >> dst >> 28.234.0.0 s_port 15883 h_len 24 ip_vers 0 rule 0 >> 12:35:39 drop HOST >qfe1 proto ip service 17207 src 56.20.255.42 >> dst >> 59.75.0.0 s_port 50012 h_len 24 ip_vers 0 rule 0 >> 12:35:39 drop HOST >qfe1 proto ip service 12004 src 109.20.219.251 >> dst >> 182.209.0.0 s_port 51766 h_len 24 ip_vers 0 rule 0 >> 12:35:39 drop HOST >qfe1 proto ip service 7681 src 239.20.50.56 >> dst >> 186.49.0.0 s_port 54728 h_len 24 ip_vers 0 rule 0 >> 12:35:39 drop HOST >qfe1 proto ip service 1688 src 118.20.202.38 >> dst >> 245.173.0.0 s_port 50012 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 55467 src 106.20.231.111 >> dst >> 174.93.0.0 s_port 54573 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 20777 src 46.20.67.134 >> dst >> 142.129.0.0 s_port 49923 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 41681 src 118.20.199.67 >> dst >> 91.247.0.0 s_port 50108 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 5320 src 110.20.186.150 >> dst >> 215.54.0.0 s_port 15882 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 55467 src 106.20.221.111 >> dst >> 184.93.0.0 s_port 54573 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 55467 src 106.20.220.111 >> dst >> 185.93.0.0 s_port 54573 h_len 24 ip_vers 0 rule 0 >> 12:35:40 drop HOST >qfe1 proto ip service 5320 src 110.20.185.150 >> dst >> 216.54.0.0 s_port 15882 h_len 24 ip_vers 0 rule 0 -- David Watson Voice: UK 01904 438000 Technical Manager Fax: UK 01904 435199 Infocom UK Ltd E-Mail: [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
