Apologies for the length, and if you aren't interested in helping explain an
icmp denied log message from a Cisco Router, please ignore this email.
I have been seeing some activity and was trying to track it down. I've
been watching this activity all day and I have now proceeded to completely
confuse and second guess myself about what I am seeing.
<cisco log file snippet w/ hostnames and ip's changed to protect the
innocent>
Dec 8 16:07:45 <ciscorouter> 3128095: Dec 8 16:07:44:
%SEC-6-IPACCESSLOGDP:
list 104 denied icmp xxx.yyy.201.225 -> abc.def.64.77 (3/1), 1 packet
Dec 8 16:07:47 <ciscorouter> 3128098: Dec 8 16:07:46:
%SEC-6-IPACCESSLOGDP:
list 104 denied icmp xxx.yyy.221.17 -> abc.def.62.4 (3/1), 1 packet
Dec 8 16:07:49 <ciscorouter> 3128099: Dec 8 16:07:48:
%SEC-6-IPACCESSLOGDP:
list 104 denied icmp xxx.yyy.221.25 -> abc.def.251.106 (3/1), 1 packet
Dec 8 16:07:51 <ciscorouter> 3128100: Dec 8 16:07:50:
%SEC-6-IPACCESSLOGDP:
list 104 denied icmp xxx.yyy.221.25 -> abc.def.89.116 (3/1), 1 packet
Dec 8 16:07:53 <ciscorouter> 3128103: Dec 8 16:07:52:
%SEC-6-IPACCESSLOGDP:
list 104 denied icmp xxx.yyy.201.225 -> abc.def.24.12 (3/1), 1 packet
Background Info:
As you can see, the xxx.yyy/16? addresses are on the outside(Internet). Also
note that the 3rd and 4th octet are the same in some cases, different in
others.
The abc.def address are inside the router(LAN).
Access list 104 is applied "inbound" to the serial interface (actually to 3
serial interfaces as three T1's are "tied together" into one cisco router.
(so you know how the acl was applied):
enable
conf t
int s1/0
ip access-group 104 in
int s1/1
ip access-group 104 in
int s1/2
ip access-group 104 in
access-list 104 has a few "permit icmp's" for some ip's, but for most
ip's, the "default" rule (which we explicitly put in for completeness)
"ip access-list 104 deny ip any any log"
is causing the log entry.
My Issue:
The (paraphrased) log entry: "denied icmp xxx.yyy -> abc.def (3/1)" (i.e.
host
unreachable) in combination with the over 50,000 icmp denied from the
xxx.yyy
addresses leads me to believe this is co-ordinated IP sweep of the abc.def
addresses by the xxx.yyy addresses, but what is the denied message actually
telling me?
1) the abc.def address is unreachable?
2) the xxx.yyy address is unreachable?
3) something else?
The real issues are
1) If 99% of the machines are protected and are returning
<host unreachable>, wouldn't that mean that those that don't return <host
unreachable> _are_ actually reachable?
2) How do you minimize giving out that information, without affecting the
functionality of the router?
3) Can you safely turn off all ICMP messages and still have things work?
Also, can anyone recommend a tool to help analyze the cisco log file? We
used Webtrends
to summarize which it did very quickly and very well, but it appears to be a
bit
lacking in the analysis of the data (i.e. "It appears you had a DoS between
8am-10am,"
or "You had a port scan of IP address <a.b.c.d>" or "You are currently
having a port
scan of IP address <a.b.c.d>")...maybe this is wishful thinking on my
part...
Any RTFM's, pointers to URL's etc. will be appreciated.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
