[c-nsp] Slammer (1434) attack

Brian Turnbow b.turnbow at twt.it
Wed Dec 22 10:22:32 EST 2004 

Do a show access-list 140 a couple of times and you can see how many packets are matching the access-list. 
If the worm is active you will see the counter running wild, trying to log thousands of packets per second 
Will make a serious dent in performance.
You can subnet the access-list thus by locating infected ranges

Access-list 140 permit tcp 192.168.0.0 0.0.0.15 any eq 1434
Access-list 140 permit tcp 192.168.0.16 0.0.0.15 any  eq 1434
Access-list 140 permit tcp 192.168.0.32 0.0.0.15 any eq 1434
Access-list 140 permit tcp 192.168.0.48 0.0.0.15 any eq 1434
Access-list 140 permit tcp 192.168.0.64 0.0.0.15 any eq 1434
Ecc. 
Instead of 

Access-list 140 permit tcp 192.168.0.0 0.0.0.255 any eq 1434

You can even do this down to host level 

Regards
Brian


-----Original Message-----
From: Amol Sapkal [mailto:amolsapkal at gmail.com] 
Sent: mercoledì 22 dicembre 2004 15.59
To: Brian Turnbow
Cc: cisco-nsp
Subject: Re: [c-nsp] Slammer (1434) attack

On Wed, 22 Dec 2004 15:56:54 +0100, Brian Turnbow <b.turnbow at twt.it> wrote:
> Be careful logging the acl if the attack is in progress !
> Try lokking at traffic on the access ports first.



Are you saying that it would eat up the switch cpu?




> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Amol Sapkal
> Sent: mercoledì 22 dicembre 2004 15.48
> To: cisco-nsp
> Subject: Fwd: [c-nsp] Slammer (1434) attack
> 
> ---------- Forwarded message ----------
> From: Amol Sapkal <amolsapkal at gmail.com>
> Date: Wed, 22 Dec 2004 06:44:32 -0800
> Subject: Re: [c-nsp] Slammer (1434) attack
> To: Josh Duffek <consultantjd16 at ridemetro.org>
> 
> Thanks! The 'log' keyword just slipped off my mind. I think log should take care of it. Regarding sniffing, that is the last option I am looking at, as it is going to be some while before I am actually able to sniff the wire.
> 
> Regds,
> Amol
> 
> On Wed, 22 Dec 2004 08:41:58 -0600, Josh Duffek <consultantjd16 at ridemetro.org> wrote:
> > What about adding the log keyword to the end of the ACL?  Couldn't 
> > you also put yourself in that vlan and sniff the wire?
> >
> > josh duffek    network engineer
> > consultantjd16 at ridemetro.org
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> > > bounces at puck.nether.net] On Behalf Of Amol Sapkal
> > > Sent: Wednesday, December 22, 2004 8:35 AM
> > > To: cisco-nsp
> > > Subject: [c-nsp] Slammer (1434) attack
> > >
> > > Hi,
> > > I am having a slammer (udp 1434) attack on my network. I have 
> > > these aggregation switches (cat6509s) in the network on which my 
> > > team has applied access-list blocking the udp port 1434. Now I 
> > > need to know what machine is actually infected. The machines are 
> > > connected via access switches to the aggregator cat 6509.
> > >
> > > Earlier, I suggested that we remove the access-list (or rate-limit 
> > > the udp 1434 traffic on the vlan interface to a minimal value) so 
> > > that I could apply 'ip route-cache flow' on the affected vlan 
> > > interface and check for the host generating traffic on port 1434.
> > >
> > > The catch is, we are not supposed to remove the access-list (as a 
> > > caution to prevent the further spread of the slammer).
> > >
> > > Is there a work around to know how to get the culprit machine? I 
> > > tried debugging the number access-list that is applied on the vlan 
> > > interface using the command 'debug ip packet 140' (where 140 is 
> > > the extended numbered access-list). I did not see any debug output.
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Warm Regds,
> > >
> > > Amol Sapkal
> > >
> > > ------------------------------------------------------------------
> > > -- An eye for an eye makes the whole world blind
> > > - Mahatma Gandhi
> > > ------------------------------------------------------------------
> > > -- _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> --
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> 
> 
> --
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list