The 6509 is suffering the SQL Slammer Worm Attack , I want to use the ACL to block udp port 1434,
M-NS-6509-A#sh ip access-list 120
Extended IP access list 120
deny udp any any eq 1434 (2396970 matches)
permit ip any any (262219 matches)
ip address 220.127.116.11 255.255.255.252
ip access-group 120 in
but i found it seems useless although i can find the matches in show ip access-list 120, because i can still find there are larger number of flows assoctiated with this attack by openning the netflow switching. and the input rate of the interface fa3/17 are still abnormal (very high, 40Mbit/s). what's the problem is?
Not sure how Netflow works with regards to access lists, but I'd imagine (though I'm not sure) that traffic blocked by an access list still counts towards a given port's input rate. After all, the traffic has to enter the port before it's blocked. Perhaps someone can confirm.
Input rate is going to be very high until you pull the offending SQL server off your net . The acl is doing it's job if your acces list counters are rapidly increasing , your main job should be to get the offending server offline at this point . We found this worm has the ability to bury just about any cisco switch except the 6509 and make it almost unmanageable . Look at your flows and it should tell you who the offending server is .
The IOS acl will get the layer 3 traffic, but if you want to minimize the worm, you might want to use a vacl on the catOS side. That will prevent the worm from scanning across ports in the same vlan.
One of the big issues with this worm is that it will also scan multicast addresses. We have a /20 wireless subnet with 5000 hosts active at any one time over about 1000 APs. This worm can bring the whole network to a crawl when it scans multicast.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...