[c-nsp] Unknown unicast only occuring when a host is under attack...
Jeroen van Ingen
jeroen at zijndomein.nl
Sat Mar 26 08:05:39 EDT 2011
On 03/25/2011 05:11 PM, John Neiberger wrote:
> > Hmm, I noticed when I looked in the netflow for the attack traffic that there were more than 400,000 source IPs participating in the attack, they were obviously spoofed/what-have-you, but would that make a difference? I don't think I've ever seen one with that many sources before, bravo to them for going the extra mile...
> >
> > -Drew
>
> Wow, that's impressive! If each of those was associated with a unique
> MAC address somehow, your CAM table surely was overloaded, which would
> explain the unicast flooding. If it happens again, take a look at your
> CAM table to see if it's full.
>
They would only be associated with unique MAC addresses if the sources
are in the same VLAN as the destination. If the sources are on a
different VLAN (or behind any routed path for that matter), all frames
towards the destination will have the router's MAC as L2 source address.
Assuming the DoS attack is routed traffic (since it's in netflow) it
won't cause overflows in L2 forwarding table CAM.
Regards,
Jeroen van Ingen
More information about the cisco-nsp
mailing list