Attack on UDP 101

Christopher Morrow morrowc.lists at gmail.com
Sat Jul 21 20:53:38 UTC 2012


On Sat, Jul 21, 2012 at 3:12 PM, Shahab Vahabzadeh
<sh.vahabzadeh at gmail.com> wrote:
> Can hardware problem make something happen?
>

a CEF corruption could, but really... I'd start with on both devices:
  show ip route <ip>

and see if perhaps they both point to each other... then resolve that problem.

> On Sat, Jul 21, 2012 at 11:38 PM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
>>
>> On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh
>> <sh.vahabzadeh at gmail.com> wrote:
>> > Dear Stefan,
>> > I have an 7206VXR Router with this design:
>> >
>> > int gig 0/1: directly connected to 3750 switch (uplink to internet)
>> > int gig 0/2: vlan termination from PSTN centers
>> > int virtual-template1: xdsl users
>> >
>> > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1
>> > that there is no such a traffic in none of routers interface, but the
>> > same
>> > traffic is seen in 3750 peer interface.
>> > I try to run monitor session on 3750 and monitor port traffic which I
>> > see
>> > that packet is generating from a user and its in a loop between 3750 and
>> > 7206.
>>
>> I suspect that the 7206 and 3750 both thing the other guy has
>> default... and with no more specific to follow the packet just
>> pingpongs between the 2 devices. I would also suspect you see this for
>> more than one destination :(
>>
>> picking just one entry (last entry I see) from route-views.routeviews.org:
>> BGP routing table entry for 76.164.192.0/19, version 708055091
>> Paths: (35 available, best #31, table Default-IP-Routing-Table)
>> ...
>> 4436 6939 53340 36114
>>     69.31.111.244 from 69.31.111.244 (69.31.111.244)
>>       Origin IGP, metric 0, localpref 100, valid, external
>>       Community: 4436:21216
>>
>> all of 36114(versaweb) traffic would seem to head through
>> 53340(vegasnap) on the way home, so... maybe something else is going
>> on like you didn't accept transit routes (or send them or something
>> else) from your transit? hard to say with as little info as we see
>> here, but :)
>>
>> > When I disconnect that user, I see that that packet is in loop again,
>> > because of that I am sure its making a loop but I do not know the
>> > reseaon
>> > is that packets or not.
>> >
>> > Thanks
>> >
>> >
>> > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant <
>> > sfouant at shortestpathfirst.net> wrote:
>> >
>> >> Can you give us more  information? What do you mean it is causing Layer
>> >> 3
>> >> loops?
>> >>
>> >> Stefan Fouant
>> >>
>> >> Sent from my HTC on the Now Network from Sprint!
>> >>
>> >>
>> >> ----- Reply message -----
>> >> From: "Shahab Vahabzadeh" <sh.vahabzadeh at gmail.com>
>> >> Date: Sat, Jul 21, 2012 10:50 am
>> >> Subject: Attack on UDP 101
>> >> To: <nanog at nanog.org>
>> >>
>> >> Hi there,
>> >> Does any body know any report about attack on UDP Port 101 which make
>> >> Layer
>> >> 3 Loops?
>> >> This is an example sniff:
>> >>
>> >> Source IP Address is : 76.164.199.86
>> >> Source port: 62946  Destination port: 101
>> >> 2012-07-21 11:11:09.646757
>> >>
>> >> Thanks
>> >>
>> >> --
>> >> Regards,
>> >> Shahab Vahabzadeh, Network Engineer and System Administrator
>> >>
>> >> Cell Phone: +1 (415) 871 0742
>> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367
>> >> BF90
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Regards,
>> > Shahab Vahabzadeh, Network Engineer and System Administrator
>> >
>> > Cell Phone: +1 (415) 871 0742
>> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>
>
>
>
> --
> Regards,
> Shahab Vahabzadeh, Network Engineer and System Administrator
>
> Cell Phone: +1 (415) 871 0742
> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>




More information about the NANOG mailing list