Security Incidents: Protocol 54

From: M J <lurker_at_ITIS.COM>
Date: Wed, 7 Jun 2000 13:30:35 -0000

Could anyone please shed some light on what may be going on
here.

Jun 6 09:30:57 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst i_dmz:x.x.80.36
Jun 6 09:31:35 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst i_dmz:x.x.80.42
Jun 6 09:33:30 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst inside:x.x.90.96
Jun 6 11:05:32 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst i_dmz:x.x.80.36
Jun 6 11:05:41 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst inside:x.x.90.96
Jun 6 11:06:35 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst inside:x.x.90.105
Jun 6 11:10:05 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst i_dmz:x.x.80.38
Jun 6 11:27:51 %PIX: Deny inbound (No xlate) protocol 54
src outside:xxx.144.226.160 dst inside:x.x.90.96

I understand that protocol 54 is NBMA Next Hop Resolution
Protocol which is used to find the shortest path between
two points and is used by some routing protocols (i.e.
OSPF). I was told NHRP should only be used to find the
first hop--the egress router--on a non-broadcast multi-
access network, and it should only be sent to the next hop
server for the NBMA network. We just began seeing protocol
54 packets sent to our web servers from networks that we
*know* aren't NBMA. Ideas? Should I be worried?

Many Thanks!

-m
Received on Jun 08 2000