In a 3725 running IOS 12.4(5a) we have an access list on the internet interface that passes some icmp types and blocks the remainder with log. Sometimes we see a number of events in the log like this:
Jun 12 19:47:26 hk 102292: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (44/216), 1 packet Jun 12 19:47:29 hk 102293: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (60/224), 1 packet Jun 12 19:47:34 hk 102294: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (48/20), 1 packet Jun 12 19:47:55 hk 102295: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (42/80), 1 packet Jun 12 19:47:59 hk 102296: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (62/108), 1 packet Jun 12 19:48:04 hk 102297: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (55/136), 1 packet Jun 12 19:48:16 hk 102298: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (51/8), 1 packet Jun 12 19:51:51 hk 102299: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (52/220), 1 packet Jun 12 19:51:53 hk 102300: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (45/176), 1 packet Jun 12 19:52:00 hk 102301: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp a.b.c.d -> e.f.g.h (63/104), 1 packet
Is it certain that the system at a.b.c.d is really sending those weird icmp messages to us (e.f.g.h), or could there be an issue in the logging code that makes it log this trash?
At first I believed this was an attack, but now I see such an event where the source is the home PC of one of our employees. Could it be that it is infected with some malware, or is he just sending some icmp we did not expect and is the logging broken?
I also see logs with an expected code, like this:
Jun 3 08:50:18 hk 99909: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp
61.219.64.4 -> e.f.g.h (5/1), 1 packet Jun 3 08:55:58 hk 99910: 8w4d: %SEC-6-IPACCESSLOGDP: list inet-in denied icmp 61.219.64.4 -> e.f.g.h (5/1), 1 packetHere, someone is trying to send us a REDIRECT, something we have blocked on purpose. So it at least works part of the time.