[AG-TECH] Re: FW: Strange Access Grid traffic to port 80 (fwd)

Robert Olson olson at mcs.anl.gov
Thu May 16 15:03:13 CDT 2002


There's nothing we're doing that should trigger such a thing. Perhaps 
something is scanning IP space for http servers, and the traffic's getting 
thru since the group is already known to the routers .. or something..

--bob

At 01:54 PM 5/16/2002 -0600, Stewart, Corbin J wrote:
>Greetings,
>I received this email from Hugh saying that he's seeing multicast traffic to
>223.2.171.1:80 from our video machine that's running our multicast beacon.
>Any ideas why traffic would be going to port 80.  We did have an AG meeting
>today in the Big Horn room from 8-11am PST.  I don't know if that helps.
>
>Thanks in advance
>
>---------------------------------------------------------------
>Corbin Stewart                               cjstewa at sandia.gov
>
>Videoconferencing & Collaborative Environments
>Sandia National Laboratories California
>925-294-4856
>
>
>-----Original Message-----
>From: Hugh LaMaster [mailto:lamaster at nas.nasa.gov]
>Sent: Thursday, May 16, 2002 11:57 AM
>To: Ross Gaunt; Scott Miller; Jeff Olsen; Brian Bodtker; Lanette
>Radliff; Corbin Stewart; Rich Gay
>Subject: Strange Access Grid traffic to port 80 (fwd)
>
>
>
>Greetings,
>
>Sorry to bother you all if this turns out to be nothing, but,
>I am a little concerned about the following.  For some time,
>I have been concerned about the potential for using multicast
>to scan for certain broken IP stacks.  So, I block certain
>ports for all multicast groups.
>
>Today, for the first time, I seem to be seeing such traffic.
>(Well, I have seen a few things long ago, but, they were
>unmistakable as broken software/configurations and othe errors.)
>
>I was surprised that it started coming from both the Sandia
>and LLNL access grid beacons at about the same time.  So,
>perhaps I am being paranoid, but, I have to ask if this is
>something you set up on purpose, and, why?  If not, is it
>a misconfiguration or a security breach?  I am trying to
>think of a legitimate reason for why traffic would be sent
>to the Access Grid multicast group on port 80.
>
>Apologies in advance if I am being obtuse.  Just tell me to
>go climb back under my rock.
>
>OTOH, if I'm not mistaken, I thought you would want to know.
>
>Regards,
>Hugh LaMaster
>NASA NREN
>
>
>============================================================================
>==
>  Hugh LaMaster, M/S 233-21,    Email: lamaster at nas.nasa.gov
>  NASA Ames Research Center     Or:    lamaster at nren.nasa.gov
>  Moffett Field, CA 94035-1000  Or:    lamaster at kinkajou.arc.nasa.gov
>  Phone: 650/604-1056           Disc:  Unofficial, personal *opinion*.
>============================================================================
>==
>
>---------- Forwarded message ----------
>Date: Thu, 16 May 2002 11:44:43 -0700 (PDT)
>From: Hugh LaMaster <lamaster at nas.nasa.gov>
>To: Hugh LaMaster <lamaster at kinkajou.arc.nasa.gov>
>Subject: Bogus multicast packets to port 80
>
>
>
>SLOT 1:May 16 04:58:17.758: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(2632) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:18.830: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(2852) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:20.250: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3343) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:21.354: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4913) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:22.874: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(2936) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:24.122: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3419) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:25.326: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(1994) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:26.694: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3177) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:29.310: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(9145) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:30.342: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(2974) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:31.518: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3107) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:32.530: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(2712) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:33.538: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(2573) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:34.594: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3782) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:35.802: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(1263) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:37.346: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3651) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:38.550: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3474) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:39.650: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4151) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:40.962: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(4300) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:43.518: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(49352) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:47.962: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(4517) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:51.970: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(1728) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:53.402: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3055) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:54.834: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(1784) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:56.266: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4724) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:58.574: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3318) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:58:59.674: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3596) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:01.214: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(2306) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:02.774: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3960) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:04.646: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(54849) -> 233.2.171.1(37), 1 packet
>SLOT 1:May 16 04:59:06.514: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(64768) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:08.274: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4184) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:10.502: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(17912) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:12.254: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4618) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 04:59:25.550: %SEC-6-IPACCESSLOGRL: access-list logging
>rate-limited or missed 58 packets
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3692) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(2202) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3287) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(4078) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(4477) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>192.12.135.2(3189) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4101) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(4854) -> 233.2.171.1(80), 1 packet
>SLOT 1:May 16 05:04:25.588: %SEC-6-IPACCESSLOGP: list 130 denied udp
>146.246.172.2(3167) -> 233.2.171.1(80), 1 packet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20020516/415dc7ee/attachment-0001.htm>


More information about the ag-tech mailing list