Security Incidents mailing list archives

Why is my router doing this?

From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Tue, 26 Sep 2000 17:26:39 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am concerned because I've noticed lately some traffic being blocked
by an OUTBOUND filter on my border router.

(FTR, my router's real IP address has been changed.  Source port and
destination address/ports remain untouched.)

Serial0/1 is my second serial interface (inside).  Serial0/0 is my
external serial interface on which this outbound filter is running.

Something is trying to send packets out Serial0/0 with its source
address but originating from Serial0/1 (input interface) -- ie,
inside my network.  Really scares me.

Wierd thing is, all the destination IPs are non-routed (reserved)
IP addresses.  I don't get it at all.

denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.69.162(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.126.168(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 192.168.1.1(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)

Has anyone seen anything like this before?  What could be going on
to make my router want to send out packets like this?

Any help is appreciated...

- --
Aaron P. Howard
CCNA, CNE, MCSE, RHCE
ahoward () noerrors com
0A1B EDB8 911E B1F3 FFF4 67CD 367B 6A03 470E 00FC

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOdEQxDZ7agNHDgD8EQKJSQCeMsNbKoR/8KhR7oHb8Su2L4/B1p4AoMM/
kDFSU98T/V3tQQExw1pu2EDq
=W134
-----END PGP SIGNATURE-----

Current thread:

Why is my router doing this? Howard, Aaron (Sep 27)
- Re: Why is my router doing this? Crist Clark (Sep 28)
- <Possible follow-ups>
- Re: Why is my router doing this? Bill Royds (Sep 28)