[c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]
Jared Mauch
jared at puck.nether.net
Thu Nov 9 07:46:24 EST 2006
On Thu, Nov 09, 2006 at 12:39:50PM +0000, Stephen Wilcox wrote:
> Hi James,
> Primoz says he has already done that... he wants to find the source.
>
> As he is using BGP and has no default tho, he would be best to route 0.0.0.0/0 to null0 which will catch any stray packets not just RFC1918 (altho in the absence of any default, packets should be getting dropped anyway)
>
> Also, routing the private addresses to a sniffer will not reveal the MAC as it would simply show the MAC of the router.
>
>
> Primoz - why not put an access list on the interface, match these packets and specify log-input which will show you the source interface and MAC. Be careful tho, you said your link ran at 100% before, so keep your null route in place to ensure your logging doesnt hog the cpu.
it's also valuable to enable unicast-rpf strict mode on any
internal or customer interfaces to prevent packet spoofing from traversing
your network. This includes any lans you may have servers or managment
hosts on. This will help protect you in the "just incase" cases where
someone may take over your host.
You can then view the dropped packet counters easily by
doing "show ip interface <foo> and look for them to increment.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list