[nsp] RE: cisco-nsp Digest, Vol 11, Issue 23

[Waldroop, Derek (CCI-Atlanta)]

anything interesting from  - 

 

show ipc status

show ipc nodes

debug ipc 

 

maybe its traffic somehow infiltrating the backplane of your 7200, dunno.  Ive seen some similar 

 

Message: 2
Date: Mon, 13 Oct 2003 12:46:39 -0400 (EDT)
From: "Streiner, Justin" <streiner at stargate.net>
Subject: RE: [nsp] 7200 Platform - Buffer Failures
To: James Galliford <JamesG at corp.ptd.net>
Cc: cisco-nsp at puck.nether.net
Message-ID: <Pine.GSO.4.58.0310131241310.5820 at lurch>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 13 Oct 2003, James Galliford wrote:

> Hrm... The small buffers can obviously accommodate a 92 byte packet from
> a Nachi infected host but the majority of buffers that are seeing the
> failures with seem to be big/VeryBig/Huge/Large.  We do see occasional
> small buffer failures but they do not seem to be nearly as common.  The
> largest MTU on any of the routers interfaces should be 1500.  I wonder
> why we would see an 'explosion' in failures for the larger buffer sizes
> that exceed 1500 bytes???

Many DS3-speed interfaces (POET, HSSI) have MTUs greater than 1500,
usually 4470 bytes.  Same goes for some ATM interfaces.

Also, while the small buffers can accommodate a 92 byte packet, infected
hosts can often send them out at rates high enough to slam that specific
buffer pool.  In the case of the medium and large buffer pools that you
included in your original email, there are other pieces of malware that
can behave the same way as Nachi but with bigger packets.

It's also possible that the traffic isn't malicious - it could have just
been some odd spike in legitimate traffic.

jms