Hi (I hope this is an appropriate forum to ask this - if not, please direct me elsewhere), We have a situation where a customer's link is getting flooded by traffic from random src, Cisco router logs as follows: Aug 24 13:09:10: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 202.1.53.2(0) (Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Aug 24 13:09:12: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 202.1.55.6(0) (Serial0 *HDLC*) -> x.y.z.93(0), 9 packets Aug 24 13:09:15: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 152.91.14.26(0) (Serial0 *HDLC*) -> x.y.z.93(0), 15 packets Aug 24 13:09:16: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 209.185.128.140(0)(Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Aug 24 13:09:20: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 203.12.45.1(0) (Serial0 *HDLC*) -> x.y.z.93(0), 1 packet Aug 24 13:09:23: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 202.1.53.2(0) (Serial0 *HDLC*) -> x.y.z.93(0), 1 packet Aug 24 13:09:24: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 208.171.50.94(0) (Serial0 *HDLC*) -> x.y.z.92(0), 7 packets Aug 24 13:09:28: %SEC-6-IPACCESSLOGP: list 121 permitted udp 209.185.188.39(0) (Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Aug 24 13:09:31: %SEC-6-IPACCESSLOGP: list 121 permitted udp 216.32.65.105(0) (Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Aug 24 13:09:33: %SEC-6-IPACCESSLOGDP: list 121 permitted icmp 202.139.63.137 (Serial0 *HDLC*) -> x.y.z.92 (0/0), 14 packets Aug 24 13:09:33: %SEC-6-IPACCESSLOGP: list 121 permitted udp 204.178.123.193(0)(Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Aug 24 13:09:39: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 61.136.89.56(0) (Serial0 *HDLC*) -> x.y.z.94(0), 58 packets Aug 24 13:09:40: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 202.1.53.2(0) (Serial0 *HDLC*) -> x.y.z.92(0), 12 packets Aug 24 13:09:44: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 202.1.53.2(0) (Serial0 *HDLC*) -> x.y.z.93(0), 1 packet Aug 24 13:09:45: %SEC-6-IPACCESSLOGP: list 121 permitted udp 208.211.225.10(0) (Serial0 *HDLC*) -> x.y.z.92(0), 1 packet Traffic is also flooding outwards, logs as follows: Aug 23 14:17:50: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 198.3.103.213(0), 1 packet Aug 23 14:17:51: %SEC-6-IPACCESSLOGP: list 133 permitted udp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 192.36.148.17(0), 1 packet Aug 23 14:17:52: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 130.230.6.85(0), 6 packets Aug 23 14:17:53: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 137.43.2.9(0), 1 packet Aug 23 14:17:54: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 199.239.1.238(0), 1 packet Aug 23 14:17:55: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 212.126.144.55(0), 1 packet Aug 23 14:17:57: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 216.254.6.165(0), 1 packet Aug 23 14:17:58: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 213.25.50.5(0), 1 packet Aug 23 14:17:59: %SEC-6-IPACCESSLOGP: list 133 permitted tcp x.y.z.92(0) (Ethernet0 0050.54fe.f685) -> 212.126.144.55(0), 1 packet Logs were generated by creating an access list with "permit ip any any log-input" on their edge router (DMZ). x.y.z.92 is the NAT address on their PIX firewall - x.y.z.93 is their mail server (MS Exchange 5). Traffic seems to coming and going from port 0. I've searched the archives and found some info regarding port 0 but am not too sure if it applies in this case. I'd appreciate any thoughts/suggestions on how to deal with this ( **Please be gentle**) FYI, bandwidth around here is a premium (64K Sync is the max. one can get from the monopoly telco). Everyone goes through the one Internet gateway (also owned by the telco) who do not have any skills onshore - all based overseas so I don't think asking them to apply any sort of filtering is going to help. Thanks, Warwick - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
