RE: Found in Cisco Router log

Fri, 08 Dec 2000 18:40:43 -0800 

I would suggest looking at the 64 bytes of the data packet that is returned in the 
host unreachable packets if you can. It should normally contain the IP headers of the 
packet that was received. 
In that packet the from address should be in your address space but the to address 
should give you more clues as to whether the blocked ICMP packets are spoofs of your 
IP space or legitimate ICMP unreachable messages. 
   Because you have censored the sending IP numbers, I can't test to see if those are 
routers or end point. If they are routers, then it the actual destinations of your 
packets are much more likely to give your information.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Behm, Jeffrey L.
Sent: Friday, December 08, 2000 17:48
To: Firewalls List
Subject: Found in Cisco Router log


Apologies for the length, and if you aren't interested in helping explain an
icmp denied log message from a Cisco Router, please ignore this email.

I have been seeing some activity and was trying to track it down. I've
been watching this activity all day and I have now proceeded to completely
confuse and second guess myself about what I am seeing.

<cisco log file snippet w/ hostnames and ip's changed to protect the
innocent>
Dec  8 16:07:45 <ciscorouter> 3128095: Dec  8 16:07:44:
%SEC-6-IPACCESSLOGDP:
 list 104 denied icmp xxx.yyy.201.225 -> abc.def.64.77 (3/1), 1 packet
Dec  8 16:07:47 <ciscorouter> 3128098: Dec  8 16:07:46:
%SEC-6-IPACCESSLOGDP:
 list 104 denied icmp xxx.yyy.221.17 -> abc.def.62.4 (3/1), 1 packet
Dec  8 16:07:49 <ciscorouter> 3128099: Dec  8 16:07:48:
%SEC-6-IPACCESSLOGDP:
 list 104 denied icmp xxx.yyy.221.25 -> abc.def.251.106 (3/1), 1 packet
Dec  8 16:07:51 <ciscorouter> 3128100: Dec  8 16:07:50:
%SEC-6-IPACCESSLOGDP:
 list 104 denied icmp xxx.yyy.221.25 -> abc.def.89.116 (3/1), 1 packet
Dec  8 16:07:53 <ciscorouter> 3128103: Dec  8 16:07:52:
%SEC-6-IPACCESSLOGDP:
 list 104 denied icmp xxx.yyy.201.225 -> abc.def.24.12 (3/1), 1 packet  


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to