Fwd: [c-nsp] Slammer (1434) attack

Amol Sapkal amolsapkal at gmail.com
Wed Dec 22 09:48:05 EST 2004


---------- Forwarded message ----------
From: Amol Sapkal <amolsapkal at gmail.com>
Date: Wed, 22 Dec 2004 06:44:32 -0800
Subject: Re: [c-nsp] Slammer (1434) attack
To: Josh Duffek <consultantjd16 at ridemetro.org>


Thanks! The 'log' keyword just slipped off my mind. I think log should
take care of it. Regarding sniffing, that is the last option I am
looking at, as it is going to be some while before I am actually able
to sniff the wire.

Regds,
Amol


On Wed, 22 Dec 2004 08:41:58 -0600, Josh Duffek
<consultantjd16 at ridemetro.org> wrote:
> What about adding the log keyword to the end of the ACL?  Couldn't you
> also put yourself in that vlan and sniff the wire?
>
> josh duffek    network engineer
> consultantjd16 at ridemetro.org
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Amol Sapkal
> > Sent: Wednesday, December 22, 2004 8:35 AM
> > To: cisco-nsp
> > Subject: [c-nsp] Slammer (1434) attack
> >
> > Hi,
> > I am having a slammer (udp 1434) attack on my network. I have these
> > aggregation switches (cat6509s) in the network on which my team has
> > applied access-list blocking the udp port 1434. Now I need to know
> > what machine is actually infected. The machines are connected via
> > access switches to the aggregator cat 6509.
> >
> > Earlier, I suggested that we remove the access-list (or rate-limit the
> > udp 1434 traffic on the vlan interface to a minimal value) so that I
> > could apply 'ip route-cache flow' on the affected vlan interface and
> > check for the host generating traffic on port 1434.
> >
> > The catch is, we are not supposed to remove the access-list (as a
> > caution to prevent the further spread of the slammer).
> >
> > Is there a work around to know how to get the culprit machine? I tried
> > debugging the number access-list that is applied on the vlan interface
> > using the command 'debug ip packet 140' (where 140 is the extended
> > numbered access-list). I did not see any debug output.
> >
> >
> >
> >
> >
> > --
> > Warm Regds,
> >
> > Amol Sapkal
> >
> > --------------------------------------------------------------------
> > An eye for an eye makes the whole world blind
> > - Mahatma Gandhi
> > --------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>


--
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------


-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------


More information about the cisco-nsp mailing list