[c-nsp] Slammer (1434) attack
Amol Sapkal
amolsapkal at gmail.com
Wed Dec 22 09:34:48 EST 2004
Hi,
I am having a slammer (udp 1434) attack on my network. I have these
aggregation switches (cat6509s) in the network on which my team has
applied access-list blocking the udp port 1434. Now I need to know
what machine is actually infected. The machines are connected via
access switches to the aggregator cat 6509.
Earlier, I suggested that we remove the access-list (or rate-limit the
udp 1434 traffic on the vlan interface to a minimal value) so that I
could apply 'ip route-cache flow' on the affected vlan interface and
check for the host generating traffic on port 1434.
The catch is, we are not supposed to remove the access-list (as a
caution to prevent the further spread of the slammer).
Is there a work around to know how to get the culprit machine? I tried
debugging the number access-list that is applied on the vlan interface
using the command 'debug ip packet 140' (where 140 is the extended
numbered access-list). I did not see any debug output.
--
Warm Regds,
Amol Sapkal
--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------
More information about the cisco-nsp
mailing list