[c-nsp] Slammer (1434) attack

Tim Stevenson tstevens at cisco.com
Wed Dec 22 17:09:29 EST 2004


Yes, you should NOT use ACL w/log keyword in this version, everything 
matching the ACE(s) with "log" will be punted to the CPU.

With this code, there are not as many options as w/later code (or later 
supervisors), such as h/w rate limiting of traffic punted due to ACL logging.

But, do you have icmp unreachables or redirects enabled on your vlan 
interfaces? ACL drops are all done in the h/w, but if you have unreachables 
or redirects enabled on sup2, we leak a small # of packets to the CPU 
(.5pps per vlan). (Assume this is straight IOS, not CatOS/IOS...)

This means that the s/w netflow options others suggested will work for you 
(ie, enabling ip route-cache flow on the vlan i/fs & either monitoring at a 
NF collector, or on the box itself w/sh ip cache flow). If unreachables and 
redirects are off though, nothing gets punted and you won't see any stats here.

Note that we do install NF entries in the h/w as well even for ACL denied 
flows, but stats are not incremented & so no export occurs for them. But 
you can do sh mls ip to see the flows. But this might be cumbersome to do, 
since you'll see all flows, not just those punted to s/w as above, and cuz 
the output is split over 2 lines so | filters aren't going to work as well 
... Also, you'll only see the "relevant" info if you are running with a 
full flow mask, mls flow ip full, so you can see the L4 info.

Hope that helps,

Tim

At 11:47 AM 12/22/2004, Amol Sapkal exclaimed:
>Hey Tim,
>
>Apologies for not posting this directly to the list. I do not have
>direct access to the switches, very new to the current setup.
>
>Here are the details:
>
>
>MSFC2
>12.1(8b) E18
>SUP2
>
>
>
>On Wed, 22 Dec 2004 10:39:03 -0800, Tim Stevenson <tstevens at cisco.com> wrote:
> > Please let us know what supervisor engine & s/w version you are using on
> > the 6500s. That will greatly impact the recommendations.
> >
> > For example, ACL w/log is harmless on some sups - with the right
> > configuration -and disastrous on others.
> >
> > Tim
> >
> > At 09:00 AM 12/22/2004, cisco-nsp-request at puck.nether.net exclaimed:
> > >Message: 6
> > >Date: Wed, 22 Dec 2004 11:48:34 -0500
> > >From: Rodney Dunn <rodunn at cisco.com>
> > >Subject: Re: [c-nsp] Slammer (1434) attack
> > >To: Gert Doering <gert at greenie.muc.de>
> > >Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> > >Message-ID: <20041222114834.C4647 at rtp-cse-489.cisco.com>
> > >Content-Type: text/plain; charset=us-ascii
> > >
> > >I haven't done it on the 65xx but I know for software
> > >the DST interface for an ACL drop is Null0 as Gert said.
> > >I would think the 65xx works the same way.
> > >
> > >I don't suggest people do the "log" route.
> > >Export the traffic and see if it shows up as
> > >Null0.
> > >
> > >That's the most scalable way to do it.
> >
> >
> > Tim Stevenson, tstevens at cisco.com
> > Routing & Switching CCIE #5561
> > Technical Marketing Engineer, Catalyst 6500
> > Cisco Systems, http://www.cisco.com
> > IP Phone: 408-526-6759
> > ********************************************************
> > The contents of this message may be *Cisco Confidential*
> > and are intended for the specified recipients only.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>--
>Warm Regds,
>
>Amol Sapkal
>
>--------------------------------------------------------------------
>An eye for an eye makes the whole world blind
>- Mahatma Gandhi
>--------------------------------------------------------------------



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


More information about the cisco-nsp mailing list