[c-nsp] Unknown unicast only occuring when a host is under attack...

Drew Weaver drew.weaver at thenap.com
Fri Mar 25 09:06:06 EDT 2011


-----Original Message-----
From: John Neiberger [mailto:jneiberger at gmail.com] 
Sent: Thursday, March 24, 2011 2:54 PM
To: Drew Weaver
Cc: cisco-nsp
Subject: Re: [c-nsp] Unknown unicast only occuring when a host is under attack...

On Thu, Mar 24, 2011 at 12:11 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> Hi,
>
> I've never seen this issue before and I don't find a lot of information about it on the Internet.
>
> Basically what is happening is a host in a VLAN is getting flooded with http requests and when this happens the http requests are being unicast to all ports in this VLAN.
>
> This only happens when the host is being flooded when I block the attack, normal traffic isn't being unicast flooded.
>
> I would think that if this was normal unknown unicast it would always happen after the cam expires the mac entry...?
>
> Has anyone heard of anything like this before?
>
> System is a 6500 (sup 720s) /w SXI5.
>
> thanks,
> -Drew

That sounds pretty strange. There are attacks that could cause this,
though. They can cause your MAC table to overflow. Let's say you can
have up to 32,768 addresses in your table. If the table is full,
traffic destined for that 32769th MAC address will be flooded. At
least I think that's how it works. Check to see how many entries are
in your MAC address table.
---

Hmm, I noticed when I looked in the netflow for the attack traffic that there were more than 400,000 source IPs participating in the attack, they were obviously spoofed/what-have-you, but would that make a difference? I don't think I've ever seen one with that many sources before, bravo to them for going the extra mile...

-Drew




More information about the cisco-nsp mailing list