[c-nsp] Slammer (1434) attack
Amol Sapkal
amolsapkal at gmail.com
Wed Dec 22 12:50:43 EST 2004
I happened to speak to the team that handles the access switches (4000
series) and few of the infected machines could be identified using
sniffer. The switches still show 55-60% consistent utilization even
after shutting down the infected hosts' port.
What is the normal cpu utilization for a 4000 series switch? I do not
remember me working on switch CPU problems before.
On Wed, 22 Dec 2004 09:33:35 -0800, Kevin Graham <mahargk at gmail.com> wrote:
> Since these are 6500's, you handle this in a VACL and then redirect to
> a port where you've got a sniffer to collect a list of infected
> machines.
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/secure.htm#wp1043908
>
> Good luck!
>
> On Wed, 22 Dec 2004 06:58:51 -0800, Amol Sapkal <amolsapkal at gmail.com> wrote:
> > On Wed, 22 Dec 2004 15:56:54 +0100, Brian Turnbow <b.turnbow at twt.it> wrote:
> > > Be careful logging the acl if the attack is in progress !
> > > Try lokking at traffic on the access ports first.
> >
> >
> > Are you saying that it would eat up the switch cpu?
> >
> >
> > >
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Amol Sapkal
> > > Sent: mercoledì 22 dicembre 2004 15.48
> > > To: cisco-nsp
> > > Subject: Fwd: [c-nsp] Slammer (1434) attack
> > >
> > > ---------- Forwarded message ----------
> > > From: Amol Sapkal <amolsapkal at gmail.com>
> > > Date: Wed, 22 Dec 2004 06:44:32 -0800
> > > Subject: Re: [c-nsp] Slammer (1434) attack
> > > To: Josh Duffek <consultantjd16 at ridemetro.org>
> > >
> > > Thanks! The 'log' keyword just slipped off my mind. I think log should take care of it. Regarding sniffing, that is the last option I am looking at, as it is going to be some while before I am actually able to sniff the wire.
> > >
> > > Regds,
> > > Amol
> > >
> > > On Wed, 22 Dec 2004 08:41:58 -0600, Josh Duffek <consultantjd16 at ridemetro.org> wrote:
> > > > What about adding the log keyword to the end of the ACL? Couldn't you
> > > > also put yourself in that vlan and sniff the wire?
> > > >
> > > > josh duffek network engineer
> > > > consultantjd16 at ridemetro.org
> > > >
> > > > > -----Original Message-----
> > > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > > > bounces at puck.nether.net] On Behalf Of Amol Sapkal
> > > > > Sent: Wednesday, December 22, 2004 8:35 AM
> > > > > To: cisco-nsp
> > > > > Subject: [c-nsp] Slammer (1434) attack
> > > > >
> > > > > Hi,
> > > > > I am having a slammer (udp 1434) attack on my network. I have these
> > > > > aggregation switches (cat6509s) in the network on which my team has
> > > > > applied access-list blocking the udp port 1434. Now I need to know
> > > > > what machine is actually infected. The machines are connected via
> > > > > access switches to the aggregator cat 6509.
> > > > >
> > > > > Earlier, I suggested that we remove the access-list (or rate-limit
> > > > > the udp 1434 traffic on the vlan interface to a minimal value) so
> > > > > that I could apply 'ip route-cache flow' on the affected vlan
> > > > > interface and check for the host generating traffic on port 1434.
> > > > >
> > > > > The catch is, we are not supposed to remove the access-list (as a
> > > > > caution to prevent the further spread of the slammer).
> > > > >
> > > > > Is there a work around to know how to get the culprit machine? I
> > > > > tried debugging the number access-list that is applied on the vlan
> > > > > interface using the command 'debug ip packet 140' (where 140 is the
> > > > > extended numbered access-list). I did not see any debug output.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Warm Regds,
> > > > >
> > > > > Amol Sapkal
> > > > >
> > > > > --------------------------------------------------------------------
> > > > > An eye for an eye makes the whole world blind
> > > > > - Mahatma Gandhi
> > > > > --------------------------------------------------------------------
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > >
> > > --
> > > Warm Regds,
> > >
> > > Amol Sapkal
> > >
> > > --------------------------------------------------------------------
> > > An eye for an eye makes the whole world blind
> > > - Mahatma Gandhi
> > > --------------------------------------------------------------------
> > >
> > >
> > > --
> > > Warm Regds,
> > >
> > > Amol Sapkal
> > >
> > > --------------------------------------------------------------------
> > > An eye for an eye makes the whole world blind
> > > - Mahatma Gandhi
> > > --------------------------------------------------------------------
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
--
Warm Regds,
Amol Sapkal
--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------
More information about the cisco-nsp
mailing list