log messages about icmp denied
in [Cisco]
|
From: Rob on 13 Jun 2010 08:11 In a 3725 running IOS 12.4(5a) we have an access list on the internet interface that passes some icmp types and blocks the remainder with log. Sometimes we see a number of events in the log like this: Jun 12 19:47:26 hk 102292: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (44/216), 1 packet Jun 12 19:47:29 hk 102293: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (60/224), 1 packet Jun 12 19:47:34 hk 102294: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (48/20), 1 packet Jun 12 19:47:55 hk 102295: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (42/80), 1 packet Jun 12 19:47:59 hk 102296: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (62/108), 1 packet Jun 12 19:48:04 hk 102297: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (55/136), 1 packet Jun 12 19:48:16 hk 102298: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (51/8), 1 packet Jun 12 19:51:51 hk 102299: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (52/220), 1 packet Jun 12 19:51:53 hk 102300: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (45/176), 1 packet Jun 12 19:52:00 hk 102301: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (63/104), 1 packet Is it certain that the system at a.b.c.d is really sending those weird icmp messages to us (e.f.g.h), or could there be an issue in the logging code that makes it log this trash? At first I believed this was an attack, but now I see such an event where the source is the home PC of one of our employees. Could it be that it is infected with some malware, or is he just sending some icmp we did not expect and is the logging broken? I also see logs with an expected code, like this: Jun 3 08:50:18 hk 99909: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp 61.219.64.4 -> e.f.g.h (5/1), 1 packet Jun 3 08:55:58 hk 99910: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp 61.219.64.4 -> e.f.g.h (5/1), 1 packet Here, someone is trying to send us a REDIRECT, something we have blocked on purpose. So it at least works part of the time.
|
Pages: 1 Prev: AV Security Suite virus removal instructions Next: Basic MPLS explained on xpresslearn.com |