[c-nsp] 6500 under DDoS

[Stephen J. Wilcox]

On Tue, 27 Jul 2004, Blaz Zupan wrote:

> What I just now found out is, that they had "ip nbar protocol-discovery"
> configured, which is definitely software switched. They have now turned it off.

yeah, that'll be it then

> We'll see what happens when the next DDoS comes. Does anybody on the list
> have a botnet under their control, so we can perform a test? :-)

for sure, altho theyre not likely to post :)

> Here are their ACLs:

I would personally suggest these are not things you want to be controlling at 
your border, but that depends what type of org they are.. the traffic on these 
ports is very low and is better done next to the users.

check this page to ensure they're not processing the acl in software:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Steve

 > 
> ip access-list extended BORDER-INP
>  deny   udp any any range 1433 1434
>  deny   tcp any any eq 5554
>  deny   tcp any any eq 9996
>  deny   tcp any any eq 445
>  permit ip any any
> 
> ip access-list extended BORDER-OUT
>  deny   udp any any range 1433 1434
>  deny   udp any any eq snmp
>  deny   tcp any any eq 5554
>  deny   tcp any any eq 9996
>  deny   tcp any any eq 445
>  permit ip any any
> 
> And here is the interface towards us:
> 
> interface GigabitEthernet5/2
>  ip address x.x.x.x 255.255.255.252
>  ip access-group BORDER-INP in
>  ip access-group BORDER-OUT out
>  load-interval 30
>  no cdp enable
> 
> And here is the interface towards their core:
> 
> interface GigabitEthernet5/1
>  no ip address
>  load-interval 30
>  switchport
>  switchport access vlan 99
> 
> interface Vlan99
>  ip address i.i.i.i 255.255.255.248
>  no ip igmp snooping explicit-tracking
>  no ipv6 mld snooping explicit-tracking
>  no ipv6 mld snooping
> 
>