Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Protocol 54

From: lurker () ITIS COM (M J)
Date: Wed, 7 Jun 2000 13:30:35 -0000

Could anyone please shed some light on what may be going on 
here.

Jun  6 09:30:57 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst i_dmz:x.x.80.36
Jun  6 09:31:35 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst i_dmz:x.x.80.42
Jun  6 09:33:30 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst inside:x.x.90.96
Jun  6 11:05:32 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst i_dmz:x.x.80.36
Jun  6 11:05:41 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst inside:x.x.90.96
Jun  6 11:06:35 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst inside:x.x.90.105
Jun  6 11:10:05 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst i_dmz:x.x.80.38
Jun  6 11:27:51 %PIX: Deny inbound (No xlate) protocol 54 
src outside:xxx.144.226.160 dst inside:x.x.90.96

I understand that protocol 54 is NBMA Next Hop Resolution 
Protocol which is used to find the shortest path between 
two points and is used by some routing protocols (i.e. 
OSPF). I was told NHRP should only be used to find the 
first hop--the egress router--on a non-broadcast multi-
access network, and it should only be sent to the next hop 
server for the NBMA network. We just began seeing protocol 
54 packets sent to our web servers from networks that we 
*know* aren't NBMA.  Ideas?  Should I be worried?

Many Thanks!

-m
Previous By Date Next
Previous By Thread Next

Current thread: