[c-nsp] Slammer (1434) attack
Amol Sapkal
amolsapkal at gmail.com
Thu Dec 23 07:53:59 EST 2004
On Wed, 22 Dec 2004 14:09:29 -0800, Tim Stevenson <tstevens at cisco.com> wrote:
> Yes, you should NOT use ACL w/log keyword in this version, everything
> matching the ACE(s) with "log" will be punted to the CPU.
>
> With this code, there are not as many options as w/later code (or later
> supervisors), such as h/w rate limiting of traffic punted due to ACL logging.
>
> But, do you have icmp unreachables or redirects enabled on your vlan
> interfaces? ACL drops are all done in the h/w, but if you have unreachables
> or redirects enabled on sup2, we leak a small # of packets to the CPU
> (.5pps per vlan). (Assume this is straight IOS, not CatOS/IOS...)
>
> This means that the s/w netflow options others suggested will work for you
> (ie, enabling ip route-cache flow on the vlan i/fs & either monitoring at a
> NF collector, or on the box itself w/sh ip cache flow). If unreachables and
> redirects are off though, nothing gets punted and you won't see any stats here.
>
I am not sure of how ACLs are processed on normal routers, but I
remember reading on a site that 'on a cat 65xxACLs are processed in
hardware and so the length of ACLs do not affect the performance of
the swith'.
Now I am unsure whether access-list logging has anything to do with
the load on the cpu. How is it going to affect the performance of the
switch. And interestingly, what happens in case of a router like a
75xx, incase logging is enabled?
> Note that we do install NF entries in the h/w as well even for ACL denied
> flows, but stats are not incremented & so no export occurs for them. But
> you can do sh mls ip to see the flows. But this might be cumbersome to do,
> since you'll see all flows, not just those punted to s/w as above, and cuz
> the output is split over 2 lines so | filters aren't going to work as well
Are you saying that irrespective of what is configured in the ACL, the
packets arriving on an i/f will be showing up in the 'sh ip cache
flow' (but with a NULL destn)?
> ... Also, you'll only see the "relevant" info if you are running with a
> full flow mask, mls flow ip full, so you can see the L4 info.
>
> Hope that helps,
>
> Tim
>
> At 11:47 AM 12/22/2004, Amol Sapkal exclaimed:
> >Hey Tim,
> >
> >Apologies for not posting this directly to the list. I do not have
> >direct access to the switches, very new to the current setup.
> >
> >Here are the details:
> >
> >
> >MSFC2
> >12.1(8b) E18
> >SUP2
> >
> >
> >
> >On Wed, 22 Dec 2004 10:39:03 -0800, Tim Stevenson <tstevens at cisco.com> wrote:
> > > Please let us know what supervisor engine & s/w version you are using on
> > > the 6500s. That will greatly impact the recommendations.
> > >
> > > For example, ACL w/log is harmless on some sups - with the right
> > > configuration -and disastrous on others.
> > >
> > > Tim
> > >
> > > At 09:00 AM 12/22/2004, cisco-nsp-request at puck.nether.net exclaimed:
> > > >Message: 6
> > > >Date: Wed, 22 Dec 2004 11:48:34 -0500
> > > >From: Rodney Dunn <rodunn at cisco.com>
> > > >Subject: Re: [c-nsp] Slammer (1434) attack
> > > >To: Gert Doering <gert at greenie.muc.de>
> > > >Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> > > >Message-ID: <20041222114834.C4647 at rtp-cse-489.cisco.com>
> > > >Content-Type: text/plain; charset=us-ascii
> > > >
> > > >I haven't done it on the 65xx but I know for software
> > > >the DST interface for an ACL drop is Null0 as Gert said.
> > > >I would think the 65xx works the same way.
> > > >
> > > >I don't suggest people do the "log" route.
> > > >Export the traffic and see if it shows up as
> > > >Null0.
> > > >
> > > >That's the most scalable way to do it.
> > >
> > >
> > > Tim Stevenson, tstevens at cisco.com
> > > Routing & Switching CCIE #5561
> > > Technical Marketing Engineer, Catalyst 6500
> > > Cisco Systems, http://www.cisco.com
> > > IP Phone: 408-526-6759
> > > ********************************************************
> > > The contents of this message may be *Cisco Confidential*
> > > and are intended for the specified recipients only.
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> >
> >--
> >Warm Regds,
> >
> >Amol Sapkal
> >
> >--------------------------------------------------------------------
> >An eye for an eye makes the whole world blind
> >- Mahatma Gandhi
> >--------------------------------------------------------------------
>
> Tim Stevenson, tstevens at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Catalyst 6500
> Cisco Systems, http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
>
--
Warm Regds,
Amol Sapkal
--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------
More information about the cisco-nsp
mailing list