[nsp] Nachi worm mitigation finds bug in 7500 dCEF
David A. Allen
network-lists at gwi.net
Wed Aug 27 16:50:53 EDT 2003
We're using this ACL and applying the policy route to several interfaces. I
haven't seen any impact on worm traffic levels. I don't think the filter is
really working at all for us.
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
match ip address 199
match length 92 92
set interface Null0
interface XXXX
ip route-cache policy
ip route-cache flow
ip policy route-map nachi-worm
7500 series, RSP8 running 12.2(8)T4. DCEF enabled.
On one single router, over a 30 second span, policy routing matches increase by
about 30 packets (3264 bytes) or about 1 packet per second at about 108bytes per
packet. 108 bytes per packet? (not 92 bytes?)
Netflow stats for this router show, well.. see for yourself:
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 1376938 15299.3 1 91 15350.6 0.0 7.4
Total: 1610198 17891.0 2 223 37116.1 0.4 7.4
Clearly the vast majority of flows are ICMP worm traffic.
I have tried manipulating the "match length 92 92" line to different sizes with
no appreciable difference in the quantity of worm traffic. We're going to send
this back to Cisco and see what they say.
-Dave
More information about the cisco-nsp
mailing list