[c-nsp] Slammer (1434) attack

Josh Duffek consultantjd16 at ridemetro.org
Wed Dec 22 09:41:58 EST 2004


What about adding the log keyword to the end of the ACL?  Couldn't you
also put yourself in that vlan and sniff the wire?

josh duffek    network engineer
consultantjd16 at ridemetro.org

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Amol Sapkal
> Sent: Wednesday, December 22, 2004 8:35 AM
> To: cisco-nsp
> Subject: [c-nsp] Slammer (1434) attack
> 
> Hi,
> I am having a slammer (udp 1434) attack on my network. I have these
> aggregation switches (cat6509s) in the network on which my team has
> applied access-list blocking the udp port 1434. Now I need to know
> what machine is actually infected. The machines are connected via
> access switches to the aggregator cat 6509.
> 
> Earlier, I suggested that we remove the access-list (or rate-limit the
> udp 1434 traffic on the vlan interface to a minimal value) so that I
> could apply 'ip route-cache flow' on the affected vlan interface and
> check for the host generating traffic on port 1434.
> 
> The catch is, we are not supposed to remove the access-list (as a
> caution to prevent the further spread of the slammer).
> 
> Is there a work around to know how to get the culprit machine? I tried
> debugging the number access-list that is applied on the vlan interface
> using the command 'debug ip packet 140' (where 140 is the extended
> numbered access-list). I did not see any debug output.
> 
> 
> 
> 
> 
> --
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list