https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157098#M51560 <P>I personally think it is a TFTP DDoS, based on this article.</P><P>&nbsp;</P><P><A href="https://securityintelligence.com/news/trivial-file-transfer-protocol-used-in-new-ddos-attack/" target="_blank">https://securityintelligence.com/news/trivial-file-transfer-protocol-used-in-new-ddos-attack/</A></P> Thu, 18 May 2017 03:03:16 GMT sum0831 2017-05-18T03:03:16Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/156977#M51532 <P>Hi All,</P><P>&nbsp;</P><P>I monitor networks for my client, recently I discovered some suspicious outbound traffic from internal to a known malicious host, although the packet was dropped on the PA. the logs I have showing that the packet's source IP as the internet's router sub interfaces IP with MAC address all zeros &amp; destination IP as the malicious host and destination MAC all zeros.</P><P>&nbsp;</P><P>After a chat with one of the network guys, he advised someone might be spoofing an IP from the internal, sicne the setup is internal -&gt;PA-&gt;internet router-&gt;internet. and the packet was dropped before it reached the router.</P><P>&nbsp;</P><P>My questions are, what does the MAC address with all zeros tells me? and are there any way of figuring out the "true" source of the traffic? since there could be a compromised host in the network?</P><P>&nbsp;</P><P>Thanks</P> Tue, 16 May 2017 22:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/156977#M51532 sum0831 2017-05-16T22:54:51Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157009#M51540 <P>all-zeroes mac might indeed be a spoofing attack from someone (or something) smart enough to hide the hardware address</P> <P>&nbsp;</P> <P>the next place you should look is the network switch to see if you can determine the switchport the mac address is known on, you&nbsp; might be able to zero your search</P> <P>&nbsp;</P> <P>on a cisco switch that would be something like</P> <P>&nbsp;</P> <PRE>show mac address-table address 0000.0000.0000</PRE> <P>the output, with a little luck, could tell you the port the mac was seen on:</P> <PRE>PANW_CORE#sh mac address-table Codes: * - primary entry vlan mac address type learn qos ports ------+----------------+--------+-----+---+-------------------------- * 1 0090.0b22.7d8c dynamic Yes -- Gi4/2 * 3 001b.175d.1310 dynamic Yes -- Gi3/7 </PRE> Wed, 17 May 2017 08:20:45 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157009#M51540 reaper 2017-05-17T08:20:45Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157085#M51559 <P>we ran a packet capturing and manage to get some logs off the PA, we have identified the MAC address of the outbound traffic was actually from one of the interface of the router to the malicious host. but I still can't identified the internal host that generated this traffic. Please advise.</P><P>&nbsp;</P><P>The malicious host inbound traffic were on TFTP some sort of Read request to some pdf documents. and the outbound traffic was UDP with No such file in the data.</P> Thu, 18 May 2017 02:39:39 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157085#M51559 sum0831 2017-05-18T02:39:39Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157098#M51560 <P>I personally think it is a TFTP DDoS, based on this article.</P><P>&nbsp;</P><P><A href="https://securityintelligence.com/news/trivial-file-transfer-protocol-used-in-new-ddos-attack/" target="_blank">https://securityintelligence.com/news/trivial-file-transfer-protocol-used-in-new-ddos-attack/</A></P> Thu, 18 May 2017 03:03:16 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-packet-with-mac-address-all-zeros/m-p/157098#M51560 sum0831 2017-05-18T03:03:16Z