[c-nsp] 6500 under DDoS

[Blaz Zupan]

> what supervisor/msfc do you have? do you have cef enabled?

Sup720. CEF is on.

> can you show ip int gix/x and send the output? also sh proc cpu | e 0.00
>
> can you show the config of the ingress and egress interface for this attack..
> i'm particularly interested in what acls you have have

What I just now found out is, that they had "ip nbar protocol-discovery"
configured, which is definitely software switched. They have now turned it
off. We'll see what happens when the next DDoS comes. Does anybody on the list
have a botnet under their control, so we can perform a test? :-)

Here are their ACLs:

ip access-list extended BORDER-INP
 deny   udp any any range 1433 1434
 deny   tcp any any eq 5554
 deny   tcp any any eq 9996
 deny   tcp any any eq 445
 permit ip any any

ip access-list extended BORDER-OUT
 deny   udp any any range 1433 1434
 deny   udp any any eq snmp
 deny   tcp any any eq 5554
 deny   tcp any any eq 9996
 deny   tcp any any eq 445
 permit ip any any

And here is the interface towards us:

interface GigabitEthernet5/2
 ip address x.x.x.x 255.255.255.252
 ip access-group BORDER-INP in
 ip access-group BORDER-OUT out
 load-interval 30
 no cdp enable

And here is the interface towards their core:

interface GigabitEthernet5/1
 no ip address
 load-interval 30
 switchport
 switchport access vlan 99

interface Vlan99
 ip address i.i.i.i 255.255.255.248
 no ip igmp snooping explicit-tracking
 no ipv6 mld snooping explicit-tracking
 no ipv6 mld snooping