Security Incidents mailing list archives
Protocol 54
From: lurker () ITIS COM (M J)
Date: Wed, 7 Jun 2000 13:30:35 -0000
Could anyone please shed some light on what may be going on here. Jun 6 09:30:57 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst i_dmz:x.x.80.36 Jun 6 09:31:35 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst i_dmz:x.x.80.42 Jun 6 09:33:30 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst inside:x.x.90.96 Jun 6 11:05:32 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst i_dmz:x.x.80.36 Jun 6 11:05:41 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst inside:x.x.90.96 Jun 6 11:06:35 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst inside:x.x.90.105 Jun 6 11:10:05 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst i_dmz:x.x.80.38 Jun 6 11:27:51 %PIX: Deny inbound (No xlate) protocol 54 src outside:xxx.144.226.160 dst inside:x.x.90.96 I understand that protocol 54 is NBMA Next Hop Resolution Protocol which is used to find the shortest path between two points and is used by some routing protocols (i.e. OSPF). I was told NHRP should only be used to find the first hop--the egress router--on a non-broadcast multi- access network, and it should only be sent to the next hop server for the NBMA network. We just began seeing protocol 54 packets sent to our web servers from networks that we *know* aren't NBMA. Ideas? Should I be worried? Many Thanks! -m
Current thread:
- Port-scans from visited web-sites?, (continued)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)