for some months, our border routers log attempts to connect from the outside using a source address that is internal to my network. e.g. Oct 3 06:48:12 r0 7833: Oct 3 06:48:11.267: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list serial-in4 denied udp 147.28.0.223(3465) -> 147.28.0.222(53), 1 packet some days, we see a *lot* of this. anyone else seeing similar? randy
On 10/4/19 5:53 PM, Randy Bush wrote:
for some months, our border routers log attempts to connect from the outside using a source address that is internal to my network. e.g.
Oct 3 06:48:12 r0 7833: Oct 3 06:48:11.267: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list serial-in4 denied udp 147.28.0.223(3465) -> 147.28.0.222(53), 1 packet
some days, we see a *lot* of this. anyone else seeing similar?
I also see them. The pattern is the same with a source IP one higher than destination, destination port is always DNS/UDP. Over the last few hours, for example: ipfw: 500 Deny UDP 202.12.127.73:62057 202.12.127.72:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.186:28518 202.12.127.185:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.145:22501 202.12.127.144:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.195:65470 202.12.127.194:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.240:64810 202.12.127.239:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.246:33497 202.12.127.245:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.140:11008 202.12.127.139:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.178:3616 202.12.127.177:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.189:3316 202.12.127.188:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.157:23692 202.12.127.156:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.254:31943 202.12.127.253:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.173:18489 202.12.127.172:53 in via fxp0 ipfw: 500 Deny UDP 202.12.127.242:36058 202.12.127.241:53 in via fxp0 My anti-spoofing rules throw them on the floor since they can't possibly originate on this interface so I haven't investigated further, imb
it's a dos on my logs. and i do not want to turn hairpin detection off, as there could be interesting things. sigh. :( randy
participants (2)
-
Michael Butler
-
Randy Bush