[c-nsp] Slammer (1434) attack

Amol Sapkal amolsapkal at gmail.com
Wed Dec 22 13:18:27 EST 2004 

This is strange.

I did use netflow (ip route-cache flow enabled on every vlan of the
6509) and was sruprised to see any entry for Destination port 059A
(1434) or 0599 (1433) in the output of 'show ip cache flow'.

While, the 4000 series access switches are still reeling under high
cpu utilizations.




On Wed, 22 Dec 2004 11:48:34 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
> I haven't done it on the 65xx but I know for software
> the DST interface for an ACL drop is Null0 as Gert said.
> I would think the 65xx works the same way.
> 
> I don't suggest people do the "log" route.
> Export the traffic and see if it shows up as
> Null0.
> 
> That's the most scalable way to do it.
> 
> On Wed, Dec 22, 2004 at 03:43:41PM +0100, Gert Doering wrote:
> > Hi,
> >
> > On Wed, Dec 22, 2004 at 06:34:48AM -0800, Amol Sapkal wrote:
> > > Earlier, I suggested that we remove the access-list (or rate-limit the
> > > udp 1434 traffic on the vlan interface to a minimal value) so that I
> > > could apply 'ip route-cache flow' on the affected vlan interface and
> > > check for the host generating traffic on port 1434.
> >
> > I'm not sure about the 6509s, but "in general", if you do netflow
> > exporting, you *will* see packets dropped by an ACL (with a "null"
> > destination interface).
> >
> > So this might be a viable approach.
> >
> > The other "standard" approach is to go to the distribution switches,
> > and just see which FastE interface has > 90 mbit/s incoming traffic -
> > this will be the machine spewing slammer at you.
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >                                                            //www.muc.de/~gert/
> > Gert Doering - Munich, Germany                             gert at greenie.muc.de
> > fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------

More information about the cisco-nsp mailing list