I am seeing strange network scan on an internal firewall. The scan assumes a source id which is not anywhere on our network and tries to reach class B network (A.B.0.0) which is also not in our netowrk. I traced the problem to a local director's MAC address. I called up cisco and they said it seems like a Recon Attack. I am not sure what it is. It has been happening for some time now. Can some one shed some light on this? The firewall is dropping the packets at rule 0. Any help will be much appreciated.
 
Here are some of the packets from windump. As you can see the source address changes on the third octate.
 
The MAC address of the firewall interface is 0:60:8:98:1c:74  and the local director MAC address is 0:e0:b6:0:27:b4
 

14:38:01.053348 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 120.20.8.171 > 134.92.0.0: ip-proto-0 28 [tos 0x1]

 14:38:01.616031 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 116.20.53.145 > 169.167.0.0: ip-proto-0 28 [tos 0x1]

14:38:01.640727 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 116.20.50.145 > 172.167.0.0: ip-proto-0 28 [tos 0x1]

14:38:01.652690 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 120.20.254.170 > 144.92.0.0: ip-proto-0 28 [tos 0x1]

14:38:01.799548 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 120.20.249.170 > 149.92.0.0: ip-proto-0 28 [tos 0x1]

14:38:02.224197 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 120.20.237.170 > 161.92.0.0: ip-proto-0 28 [tos 0x1]

14:38:02.264801 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 118.20.71.100 > 228.125.0.0: ip-proto-0 28 [tos 0x1]

 14:38:03.504087 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 98: 243.20.163.64 > 80.135.0.0: ip-proto-0 60 [tos 0x1]

14:38:03.517865 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 98: 243.20.163.60 > 107.161.0.0: ip-proto-0 60 [tos 0x1]

 14:38:03.888631 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 119.20.127.29 > 225.148.0.0: ip-proto-0 28 [tos 0x1]

14:38:03.889123 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 119.20.126.29 > 226.148.0.0: ip-proto-0 28 [tos 0x1]

 14:38:04.384016 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 113.20.69.38 > 74.145.0.0: ip-proto-0 28 [tos 0x1]

14:38:04.516479 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 113.20.68.38 > 75.145.0.0: ip-proto-0 28 [tos 0x1]

14:38:04.517120 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 113.20.67.38 > 76.145.0.0: ip-proto-0 28 [tos 0x1]

14:38:04.521877 0:e0:b6:0:27:b4 0:60:8:98:1c:74 ip 66: 113.20.66.38 > 77.145.0.0: ip-proto-0 28 [tos 0x1]

Siddika

 

Reply via email to