[c-nsp] Slammer (1434) attack
Rodney Dunn
rodunn at cisco.com
Wed Dec 22 11:48:34 EST 2004
I haven't done it on the 65xx but I know for software
the DST interface for an ACL drop is Null0 as Gert said.
I would think the 65xx works the same way.
I don't suggest people do the "log" route.
Export the traffic and see if it shows up as
Null0.
That's the most scalable way to do it.
On Wed, Dec 22, 2004 at 03:43:41PM +0100, Gert Doering wrote:
> Hi,
>
> On Wed, Dec 22, 2004 at 06:34:48AM -0800, Amol Sapkal wrote:
> > Earlier, I suggested that we remove the access-list (or rate-limit the
> > udp 1434 traffic on the vlan interface to a minimal value) so that I
> > could apply 'ip route-cache flow' on the affected vlan interface and
> > check for the host generating traffic on port 1434.
>
> I'm not sure about the 6509s, but "in general", if you do netflow
> exporting, you *will* see packets dropped by an ACL (with a "null"
> destination interface).
>
> So this might be a viable approach.
>
> The other "standard" approach is to go to the distribution switches,
> and just see which FastE interface has > 90 mbit/s incoming traffic -
> this will be the machine spewing slammer at you.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list