Attack on UDP 101

Scott Morris swm at emanon.com
Sat Jul 21 18:50:06 UTC 2012


A packet doesn't make a loop.  A device would create that.  So if you
are sending the packet out, but something else is sending it back, I'd
go take a look at where that's occurring on your devices.

If you disconnected the user in question, then what else has either
taken over that address, or what device is mistakenly sending things back?

Something on your network is making a decision about it, you just need
to figure out why.  ;)

Scott

On 7/21/12 2:41 PM, Shahab Vahabzadeh wrote:
> Dear Stefan,
> I have an 7206VXR Router with this design:
>
> int gig 0/1: directly connected to 3750 switch (uplink to internet)
> int gig 0/2: vlan termination from PSTN centers
> int virtual-template1: xdsl users
>
> Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1
> that there is no such a traffic in none of routers interface, but the same
> traffic is seen in 3750 peer interface.
> I try to run monitor session on 3750 and monitor port traffic which I see
> that packet is generating from a user and its in a loop between 3750 and
> 7206.
> When I disconnect that user, I see that that packet is in loop again,
> because of that I am sure its making a loop but I do not know the reseaon
> is that packets or not.
>
> Thanks
>
>
> On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant <
> sfouant at shortestpathfirst.net> wrote:
>
>> Can you give us more  information? What do you mean it is causing Layer 3
>> loops?
>>
>> Stefan Fouant
>>
>> Sent from my HTC on the Now Network from Sprint!
>>
>>
>> ----- Reply message -----
>> From: "Shahab Vahabzadeh" <sh.vahabzadeh at gmail.com>
>> Date: Sat, Jul 21, 2012 10:50 am
>> Subject: Attack on UDP 101
>> To: <nanog at nanog.org>
>>
>> Hi there,
>> Does any body know any report about attack on UDP Port 101 which make Layer
>> 3 Loops?
>> This is an example sniff:
>>
>> Source IP Address is : 76.164.199.86
>> Source port: 62946  Destination port: 101
>> 2012-07-21 11:11:09.646757
>>
>> Thanks
>>
>> --
>> Regards,
>> Shahab Vahabzadeh, Network Engineer and System Administrator
>>
>> Cell Phone: +1 (415) 871 0742
>> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>>
>>
>>
>






More information about the NANOG mailing list