[nsp] Possible Attack????
MPuras at solunet.com
MPuras at solunet.com
Thu Dec 26 18:51:40 EST 2002
Hi all. I was wondering if someone can share some light on a wierd issues
that I am seeing. This perhaps maybe an attack from an internal or infected
host within the network or simply a malfunctioning NIC. Basically, I have a
Cisco 3662 with 2 Satellite links. I noticed that the main WAN link
(1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of
output drops and the links started to flap and as a result BGP sessions
starting going down causing huge problems. Once I was able to get the BGP
under control, I enabled Netflow on the inbound interface (FE0/1) to see
what type of traffic could be causing this issue and this is when I noticed
the below:
Here is the output of the Netflow:
cisco_3600_one#show ip cache flow
IP packet size distribution (4096357 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000
.000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
978 active, 3118 inactive, 121929 added
2503952 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec)
Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 41 0.0 50 40 0.0 31.3 14.4
TCP-FTP 87 0.0 7 65 0.0 17.0 12.1
TCP-FTPD 27 0.0 135 211 0.0 83.0 3.5
TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7
TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7
TCP-BGP 1 0.0 673 68 0.0 1796.8 3.6
TCP-Frag 2 0.0 1 40 0.0 0.0 15.5
TCP-other 33285 0.2 14 246 3.7 24.0 10.3
UDP-DNS 6005 0.0 1 73 0.0 1.3 15.4
UDP-NTP 10 0.0 1 76 0.0 0.0 15.4
UDP-other 13772 0.1 6 78 0.7 1.2 15.5
ICMP 2904 0.0 3 72 0.0 19.1 15.4
IP-other 20559 0.1 148 20 24.5 6.8 15.4
Total: 120951 0.9 33 76 32.2 9.9 9.4
<snip>
.
.
.
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP
Pkts
Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00 0000 0000
285
Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00 0000 0000
38
Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00 0000 0000
35
Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00 0000 0000
296
Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00 0000 0000
33
Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00 0000 0000
36
Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00 0000 0000
52
Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00 0000 0000
189
Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00 0000 0000
277
Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00 0000 0000
32
Fa0/1 127.0.0.115 Se1/2.500 108.122.0.0 00 0000 0000
215
Fa0/1 127.0.0.112 Se1/2.500 108.122.0.0 00 0000 0000
177
Fa0/1 127.0.0.113 Se1/2.500 108.122.0.0 00 0000 0000
80
Fa0/1 127.0.0.110 Se1/2.500 108.122.0.0 00 0000 0000
234
Fa0/1 127.0.0.111 Se1/2.500 108.122.0.0 00 0000 0000
279
Fa0/1 127.0.0.108 Se1/2.500 108.122.0.0 00 0000 0000
171
Fa0/1 127.0.0.109 Se1/2.500 108.122.0.0 00 0000 0000
139
Fa0/1 127.0.0.106 Se1/2.500 108.122.0.0 00 0000 0000
151
Fa0/1 127.0.0.107 Se1/2.500 108.122.0.0 00 0000 0000
57
Fa0/1 127.0.0.104 Se1/2.500 108.122.0.0 00 0000 0000
67
Fa0/1 127.0.0.105 Se1/2.500 108.122.0.0 00 0000 0000
34
Fa0/1 127.0.0.102 Se1/2.500 108.122.0.0 00 0000 0000
272
Fa0/1 127.0.0.103 Se1/2.500 108.122.0.0 00 0000 0000
144
Fa0/1 127.0.0.100 Se1/2.500 108.122.0.0 00 0000 0000
88
.
.
.
.
The list goes on and on showing 127.x.x.x. If you notice that the incoming
interface is my Fast Ethernet interface but the incoming source address is a
127.x.x.x. It is going out my WAN link (the same one that has been peaking
to ~20MB) destined to a boggus Network. The protocol is boggus as well.
I enabled an access-list to block this 127.x.x.x address inbound from my FE
interface and that has seem to take care of the spikes but the problem is
still present. Anyone have any ideas what this could be?????
Thanks,
Mario Puras
SoluNet Technical Support
Mailto: mpuras@solunet.com
Direct: (321) 309-1410
888.449.5766 (USA) / 888.SOLUNET (Canada)
More information about the cisco-nsp
mailing list