This traffic is getting denied by my ingress Internet filters designed to stop spoofed internal addresses. However, I have yet to see traffic that has this pattern. The site in question has no alternate Internet connection that could be resending this traffic. As the ingress points in question are the legitimately advertised connections (via BGP), I can't think of any other reason this traffic should be appearing. However, I really do not understand what an attacker would gain with probe packets like this. The return traffic should (in an ideal world) simply get redirected to the loopback interface. But then again, this world is far from ideal, necessitating this message. Oct 13 13:33:04 ingress.router.ip.address 4267746: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(34) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(34), 1 packet Oct 13 13:33:06 ingress.router.ip.address 4267747: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(37) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(37), 1 packet Oct 13 13:33:07 ingress.router.ip.address 4267749: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(43) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(43), 1 packet Oct 13 13:33:08 ingress.router.ip.address 4267751: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(25) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(25), 1 packet Oct 13 13:33:09 ingress.router.ip.address 4267752: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(26) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(26), 1 packet Oct 13 13:33:11 ingress.router.ip.address 4267754: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(28) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(28), 1 packet Oct 13 13:33:14 ingress.router.ip.address 4267755: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(31) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(31), 1 packet Oct 13 13:33:16 ingress.router.ip.address 4267757: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(32) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(32), 1 packet Oct 13 13:33:17 ingress.router.ip.address 4267758: %SEC-6-IPACCESSLOGP: list 113 denied udp 50.50.50.50(33) (Ethernet1/5 0010.117d.fc08) -> 50.50.50.50(33), 1 packet Thanks for your help...Please note that the ip address (50.50.50.50) is NOT the real IP of the target in question... Jesse Whyte Security Analyst Office of Information Resources State of Tennessee (615)741-8651
participants (1)
-
Jesse Whyte