Attack on UDP 101

Shahab Vahabzadeh sh.vahabzadeh at gmail.com
Sat Jul 21 19:12:39 UTC 2012


Can hardware problem make something happen?

On Sat, Jul 21, 2012 at 11:38 PM, Christopher Morrow <
morrowc.lists at gmail.com> wrote:

> On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh
> <sh.vahabzadeh at gmail.com> wrote:
> > Dear Stefan,
> > I have an 7206VXR Router with this design:
> >
> > int gig 0/1: directly connected to 3750 switch (uplink to internet)
> > int gig 0/2: vlan termination from PSTN centers
> > int virtual-template1: xdsl users
> >
> > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1
> > that there is no such a traffic in none of routers interface, but the
> same
> > traffic is seen in 3750 peer interface.
> > I try to run monitor session on 3750 and monitor port traffic which I see
> > that packet is generating from a user and its in a loop between 3750 and
> > 7206.
>
> I suspect that the 7206 and 3750 both thing the other guy has
> default... and with no more specific to follow the packet just
> pingpongs between the 2 devices. I would also suspect you see this for
> more than one destination :(
>
> picking just one entry (last entry I see) from route-views.routeviews.org:
> BGP routing table entry for 76.164.192.0/19, version 708055091
> Paths: (35 available, best #31, table Default-IP-Routing-Table)
> ...
> 4436 6939 53340 36114
>     69.31.111.244 from 69.31.111.244 (69.31.111.244)
>       Origin IGP, metric 0, localpref 100, valid, external
>       Community: 4436:21216
>
> all of 36114(versaweb) traffic would seem to head through
> 53340(vegasnap) on the way home, so... maybe something else is going
> on like you didn't accept transit routes (or send them or something
> else) from your transit? hard to say with as little info as we see
> here, but :)
>
> > When I disconnect that user, I see that that packet is in loop again,
> > because of that I am sure its making a loop but I do not know the reseaon
> > is that packets or not.
> >
> > Thanks
> >
> >
> > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant <
> > sfouant at shortestpathfirst.net> wrote:
> >
> >> Can you give us more  information? What do you mean it is causing Layer
> 3
> >> loops?
> >>
> >> Stefan Fouant
> >>
> >> Sent from my HTC on the Now Network from Sprint!
> >>
> >>
> >> ----- Reply message -----
> >> From: "Shahab Vahabzadeh" <sh.vahabzadeh at gmail.com>
> >> Date: Sat, Jul 21, 2012 10:50 am
> >> Subject: Attack on UDP 101
> >> To: <nanog at nanog.org>
> >>
> >> Hi there,
> >> Does any body know any report about attack on UDP Port 101 which make
> Layer
> >> 3 Loops?
> >> This is an example sniff:
> >>
> >> Source IP Address is : 76.164.199.86
> >> Source port: 62946  Destination port: 101
> >> 2012-07-21 11:11:09.646757
> >>
> >> Thanks
> >>
> >> --
> >> Regards,
> >> Shahab Vahabzadeh, Network Engineer and System Administrator
> >>
> >> Cell Phone: +1 (415) 871 0742
> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
> >>
> >>
> >>
> >
> >
> > --
> > Regards,
> > Shahab Vahabzadeh, Network Engineer and System Administrator
> >
> > Cell Phone: +1 (415) 871 0742
> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>



-- 
Regards,
Shahab Vahabzadeh, Network Engineer and System Administrator

Cell Phone: +1 (415) 871 0742
PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90



More information about the NANOG mailing list