Security Incidents mailing list archives
Why is my router doing this?
From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Tue, 26 Sep 2000 17:26:39 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am concerned because I've noticed lately some traffic being blocked by an OUTBOUND filter on my border router. (FTR, my router's real IP address has been changed. Source port and destination address/ports remain untouched.) Serial0/1 is my second serial interface (inside). Serial0/0 is my external serial interface on which this outbound filter is running. Something is trying to send packets out Serial0/0 with its source address but originating from Serial0/1 (input interface) -- ie, inside my network. Really scares me. Wierd thing is, all the destination IPs are non-routed (reserved) IP addresses. I don't get it at all. denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137) denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137) denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.69.162(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.126.168(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 192.168.1.1(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137) denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137) Has anyone seen anything like this before? What could be going on to make my router want to send out packets like this? Any help is appreciated... - -- Aaron P. Howard CCNA, CNE, MCSE, RHCE ahoward () noerrors com 0A1B EDB8 911E B1F3 FFF4 67CD 367B 6A03 470E 00FC -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOdEQxDZ7agNHDgD8EQKJSQCeMsNbKoR/8KhR7oHb8Su2L4/B1p4AoMM/ kDFSU98T/V3tQQExw1pu2EDq =W134 -----END PGP SIGNATURE-----
Current thread:
- Why is my router doing this? Howard, Aaron (Sep 27)
- Re: Why is my router doing this? Crist Clark (Sep 28)
- <Possible follow-ups>
- Re: Why is my router doing this? Bill Royds (Sep 28)