<html>
<font size=3>There's nothing we're doing that should trigger such a
thing. Perhaps something is scanning IP space for http servers, and the
traffic's getting thru since the group is already known to the routers ..
or something..<br><br>
--bob<br><br>
At 01:54 PM 5/16/2002 -0600, Stewart, Corbin J wrote:<br>
<blockquote type=cite class=cite cite>Greetings,<br>
I received this email from Hugh saying that he's seeing multicast traffic
to<br>
223.2.171.1:80 from our video machine that's running our multicast
beacon.<br>
Any ideas why traffic would be going to port 80. We did have an AG
meeting<br>
today in the Big Horn room from 8-11am PST. I don't know if that
helps.<br><br>
Thanks in advance<br><br>
---------------------------------------------------------------<br>
Corbin
Stewart<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>
cjstewa@sandia.gov<br><br>
Videoconferencing & Collaborative Environments<br>
Sandia National Laboratories California<br>
925-294-4856<br><br>
<br>
-----Original Message-----<br>
From: Hugh LaMaster
[<a href="mailto:lamaster@nas.nasa.gov" eudora="autourl">mailto:lamaster@nas.nasa.gov</a>]<br>
Sent: Thursday, May 16, 2002 11:57 AM<br>
To: Ross Gaunt; Scott Miller; Jeff Olsen; Brian Bodtker; Lanette<br>
Radliff; Corbin Stewart; Rich Gay<br>
Subject: Strange Access Grid traffic to port 80 (fwd)<br><br>
<br><br>
Greetings,<br><br>
Sorry to bother you all if this turns out to be nothing, but,<br>
I am a little concerned about the following. For some time,<br>
I have been concerned about the potential for using multicast<br>
to scan for certain broken IP stacks. So, I block certain <br>
ports for all multicast groups.<br><br>
Today, for the first time, I seem to be seeing such traffic.<br>
(Well, I have seen a few things long ago, but, they were<br>
unmistakable as broken software/configurations and othe
errors.)<br><br>
I was surprised that it started coming from both the Sandia<br>
and LLNL access grid beacons at about the same time. So,<br>
perhaps I am being paranoid, but, I have to ask if this is<br>
something you set up on purpose, and, why? If not, is it<br>
a misconfiguration or a security breach? I am trying to <br>
think of a legitimate reason for why traffic would be sent<br>
to the Access Grid multicast group on port 80.<br><br>
Apologies in advance if I am being obtuse. Just tell me to <br>
go climb back under my rock.<br><br>
OTOH, if I'm not mistaken, I thought you would want to know.<br><br>
Regards,<br>
Hugh LaMaster<br>
NASA NREN<br><br>
<br>
============================================================================<br>
==<br>
Hugh LaMaster, M/S 233-21, Email:
lamaster@nas.nasa.gov<br>
NASA Ames Research Center
Or: lamaster@nren.nasa.gov<br>
Moffett Field, CA 94035-1000 Or:
lamaster@kinkajou.arc.nasa.gov<br>
Phone:
650/604-1056
Disc: Unofficial, personal *opinion*.<br>
============================================================================<br>
==<br><br>
---------- Forwarded message ----------<br>
Date: Thu, 16 May 2002 11:44:43 -0700 (PDT)<br>
From: Hugh LaMaster <lamaster@nas.nasa.gov><br>
To: Hugh LaMaster <lamaster@kinkajou.arc.nasa.gov><br>
Subject: Bogus multicast packets to port 80<br><br>
<br><br>
SLOT 1:May 16 04:58:17.758: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(2632) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:18.830: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(2852) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:20.250: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3343) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:21.354: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4913) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:22.874: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(2936) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:24.122: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3419) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:25.326: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(1994) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:26.694: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3177) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:29.310: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(9145) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:30.342: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(2974) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:31.518: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3107) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:32.530: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(2712) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:33.538: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(2573) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:34.594: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3782) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:35.802: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(1263) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:37.346: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3651) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:38.550: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3474) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:39.650: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4151) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:40.962: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(4300) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:43.518: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(49352) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:47.962: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(4517) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:51.970: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(1728) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:53.402: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3055) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:54.834: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(1784) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:56.266: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4724) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:58.574: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3318) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:58:59.674: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3596) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:01.214: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(2306) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:02.774: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3960) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:04.646: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(54849) -> 233.2.171.1(37), 1 packet<br>
SLOT 1:May 16 04:59:06.514: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(64768) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:08.274: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4184) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:10.502: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(17912) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:12.254: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4618) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 04:59:25.550: %SEC-6-IPACCESSLOGRL: access-list
logging<br>
rate-limited or missed 58 packets<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3692) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(2202) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3287) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(4078) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(4477) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
192.12.135.2(3189) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4101) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(4854) -> 233.2.171.1(80), 1 packet<br>
SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied
udp<br>
146.246.172.2(3167) -> 233.2.171.1(80), 1
packet</font></blockquote></html>