Re: Suspicious Activity

From: Michael Grice (grice@binc.net)
Date: 08/19/01 

Date: Sun, 19 Aug 2001 16:59:56 -0500
From: Michael Grice <grice@binc.net>
To: security-basics@securityfocus.com
Subject: Re: Suspicious Activity
Message-ID: <20010819165956.A12977@ctg-mail.binc.net>

* freehold@erols.com <freehold@erols.com> [010819 11:05] wrote:
> I think TFTP passes information from services for some devices at
> boot-time - like routers & their config files. It might even be the
> default install to leave it open. But it doesn't have authentication &
> I don't think there's any reason to use it outside of your LAN. You
> probably want to restrict access to it closely even inside.

I suspect that a router somewhere has the original poster's server's IP
address configured as a helper address. When a Cisco router is configured
with a helper address, by default it forwards broadcasts to a number of
UDP ports to the helper address. The ports forwarded include 53 (name
service) and 69 (TFTP), among others.

The point of the helper address is to specifically forward those packets
to where they are needed, so that the entire subnet does not receive
these broadcasts. Without a helper address, the router would just
discard these broadcasts.

If this is the case, you can turn off UDP forwarding for certain ports
with (for example) "no ip forward-protocol udp 69" in configuration
mode on the router. See Cisco's documentation for more details. If
you're getting the packets because of a helper address, it's probably
harmless.

Like Missy says, if you have TFTP running in your LAN, you don't want
anybody to have access to it. It's common to use TFTP on a server to
collect router configs, for example.
--Michael

Relevant Pages

  • Re: Cisco running-config replication
    ... :running-config every hour of the production router.. ... And do they support the same configuration file ... a tftp upload of the configuration you want to replicate, ... download of that file to the other router. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco running-config replication
    ... HSRP is little bit difficult for the moment, because we want also to make the same replication with our 4006 backbone switches ... ... Have you some example or documentation for SNMP and tftp tasks? ... And do they support the same configuration file versions and the same features? ... the 2811 is an integrated services router that supports a bunch of features not available on the 2610xm. ...
    (comp.dcom.sys.cisco)
  • Re: Will replacing Interface card / NM also copy interface configuration?
    ... from one Cisco 2620 router to another 2620 router will cause the ... interface configuration too to be copied to the running config of ... If you need to copy the configuration, tftp it to a tftp server, ...
    (comp.dcom.sys.cisco)
  • Re: Will replacing Interface card / NM also copy interface configuration?
    ... from one Cisco 2620 router to another 2620 router will cause the ... interface configuration too to be copied to the running config of ... If you need to copy the configuration, tftp it to a tftp server, ...
    (comp.dcom.sys.cisco)
  • RE: ISA2k4 - Aktives TFTP Port:69
    ... Und alles mit dem Protokoll TFTP und Port 69. ... Was mich stutzig macht ist die Meldung am Router ... Dan muss 0.0.0.0:0 der ISA sein oder? ... >> Nach Aussage von Lancom muss ich eine Regel mit aktiven TFTP Port:69 ...
    (microsoft.public.de.german.isaserver)