[c-nsp] All multicast punting to CPU on 6500

Robert Williams Robert at CustodianDC.com
Mon Dec 17 05:58:12 EST 2012 

Hi,

Thanks for that, just to clarify a couple of details regarding the 'flow' of traffic in this instance, as I think my attempt to simplify for the purpose of identifying the issue has had the opposite effect :)

So, the connectivity is as follows:

[------- Internet ------]
        \/           ||
[Non-Cisco Router] [6500]
        \/           ||
[-------- Switch -------]
        \/
     [MS NLB]

\/  =  Attack traffic
||  =  Other traffic

The 'attack' traffic entered via the Non-Cisco router, from the internet. Was delivered to the LAN switch while the NLB was unreachable. Thus the switch flooded to all ports, which included the 6500.

In normal operations the 6500 never talks to the NLB cluster, at all. This is why nothing was configured on the 6500 for the NLB and why the two (generally) should never have any need to speak to each other.

The 6500 deals with the more 'critical' services, but they are common in so much as having access to some of the same VLANs on the switch.

The NLB is legacy, running through a legacy router and by 'attack' I'm talking about approx. 40mbit/s of traffic directed to random ports on the NLB primary IP, originating from a single IP elsewhere on the internet, entering via the legacy router.

Regarding the MAC addresses and the validity of my test - the hping stream I'm generating does not randomise MACs (the static ARP set on Linux is used to keep this constant) - sorry if somehow I've implied that it does at some point, but both the source and destination MAC are static.

So in short, the test is a very accurate replication of the real-world issue; in fact, the results are almost identical apart from the fact my test traffic has no payload (i.e. it's not trying to actually break the services running on the NLB cluster).

As for attacks being originated from within the target's network, this is reasonably common in the low-end colocation market (online gaming in particular). A lot of general colocation companies which I know of use flat single VLANs for large numbers of their dedicated servers. They simply cannot provide a separate layer-2 for each server. So as an attacker, you have an increased chance of success if you source your attack from a server purchased from the same provider as your target.

Often we see the goal is actually just to take the 'provider' offline, not even attack a specific target. Worrying yes, but we've seen a steady increase in it for the last year so I guess it's more common than it used to be.

Anyway, I thought I'd just go through that so anyone who is interested can understand the specific situation and give some clarity to what might otherwise seem like a rather odd and pointless 'test' :)

(PS. For the NLB fans, you'll be pleased to know the cluster is now going for good I'm told)

Cheers!


Robert Williams
Custodian Data Centre
Email: Robert at CustodianDC.com
http://www.CustodianDC.com


Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

More information about the cisco-nsp mailing list