[c-nsp] Slammer (1434) attack
Gert Doering
gert at greenie.muc.de
Wed Dec 22 09:43:41 EST 2004
Hi,
On Wed, Dec 22, 2004 at 06:34:48AM -0800, Amol Sapkal wrote:
> Earlier, I suggested that we remove the access-list (or rate-limit the
> udp 1434 traffic on the vlan interface to a minimal value) so that I
> could apply 'ip route-cache flow' on the affected vlan interface and
> check for the host generating traffic on port 1434.
I'm not sure about the 6509s, but "in general", if you do netflow
exporting, you *will* see packets dropped by an ACL (with a "null"
destination interface).
So this might be a viable approach.
The other "standard" approach is to go to the distribution switches,
and just see which FastE interface has > 90 mbit/s incoming traffic -
this will be the machine spewing slammer at you.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list