Protocol 61: Anybody got packets?
Jason is writing us saying that his firewall is dropping 600-700 packets per second with protocol 61 (not port 61). He hasn't been able to capture full packets but is working on it.
This looks very much like a corrupt packet, maybe as a result of a DoS upstream, or a broken attack tools. If anybody sees something similar, please let us know (and we really like full packets)
The source IP addresses are 2.2.128.1 and 5.5.128.1 (again, odd addresses... )
Here are some anonymized firewall logs from Jason:
2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:2.2.128.1 dst outside:xxx.xxx.xx6.1 2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:5.5.128.1 dst outside:xxx.xxx.xx6.1 2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:2.2.128.1 dst outside:xxx.xxx.xx8.1 2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:5.5.128.1 dst outside:xxx.xxx.xx8.1
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
Details on IP address 2.2.128.1
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '2.2.128.0 - 2.2.128.255'
inetnum: 2.2.128.0 - 2.2.128.255
netname: IP2000-ADSL-BAS
descr: BSREN651 Rennes Bloc 2
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: abuse@orange.fr
mnt-by: FT-BRX
source: RIPE # Filtered
% Information related to '2.2.0.0/16AS3215'
route: 2.2.0.0/16
descr: France Telecom Orange
origin: AS3215
mnt-by: RAIN-TRANSPAC
mnt-by: FT-BRX
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.55 (WHOIS3)
StarLight
Apr 13th 2013
1 decade ago
The packets seem not to be spoofed and typically it lasts a week or so. PCAP is available.
Jens
Apr 13th 2013
1 decade ago
Vance Baker
Apr 14th 2013
1 decade ago