[nsp] 7200 Platform - Buffer Failures
Streiner, Justin
streiner at stargate.net
Mon Oct 13 12:46:39 EDT 2003
On Mon, 13 Oct 2003, James Galliford wrote:
> Hrm... The small buffers can obviously accommodate a 92 byte packet from
> a Nachi infected host but the majority of buffers that are seeing the
> failures with seem to be big/VeryBig/Huge/Large. We do see occasional
> small buffer failures but they do not seem to be nearly as common. The
> largest MTU on any of the routers interfaces should be 1500. I wonder
> why we would see an 'explosion' in failures for the larger buffer sizes
> that exceed 1500 bytes???
Many DS3-speed interfaces (POET, HSSI) have MTUs greater than 1500,
usually 4470 bytes. Same goes for some ATM interfaces.
Also, while the small buffers can accommodate a 92 byte packet, infected
hosts can often send them out at rates high enough to slam that specific
buffer pool. In the case of the medium and large buffer pools that you
included in your original email, there are other pieces of malware that
can behave the same way as Nachi but with bigger packets.
It's also possible that the traffic isn't malicious - it could have just
been some odd spike in legitimate traffic.
jms
More information about the cisco-nsp
mailing list