Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL on 6509

The 6509 is suffering the SQL Slammer Worm Attack , I want to use the ACL to block udp port 1434,

M-NS-6509-A#sh ip access-list 120

Extended IP access list 120

deny udp any any eq 1434 (2396970 matches)

permit ip any any (262219 matches)

interface FastEthernet3/17

description TongYiWangLuo(IW000217)

ip address 61.144.246.241 255.255.255.252

ip access-group 120 in

but i found it seems useless although i can find the matches in show ip access-list 120, because i can still find there are larger number of flows assoctiated with this attack by openning the netflow switching. and the input rate of the interface fa3/17 are still abnormal (very high, 40Mbit/s). what's the problem is?

Thx

Regards

Jeffrey

5 REPLIES
Bronze

Re: ACL on 6509

Not sure how Netflow works with regards to access lists, but I'd imagine (though I'm not sure) that traffic blocked by an access list still counts towards a given port's input rate. After all, the traffic has to enter the port before it's blocked. Perhaps someone can confirm.

New Member

Re: ACL on 6509

But I ever tried to configure ACL as "access-list 120 deny ip any any" and applied it, and then the port's input rate would drop to nearly zero.

Bronze

Re: ACL on 6509

Interesting. TAC may be your best bet in this case -- they'll know for sure how a port's input rate is affected by access lists. A software bug may be the cause of the discrepancies you're seeing.

Purple

Re: ACL on 6509

Input rate is going to be very high until you pull the offending SQL server off your net . The acl is doing it's job if your acces list counters are rapidly increasing , your main job should be to get the offending server offline at this point . We found this worm has the ability to bury just about any cisco switch except the 6509 and make it almost unmanageable . Look at your flows and it should tell you who the offending server is .

New Member

Re: ACL on 6509

Make sure you look at this:

http://www.cisco.com/en/US/customer/products/products_security_advisory09186a0080133399.shtml

The IOS acl will get the layer 3 traffic, but if you want to minimize the worm, you might want to use a vacl on the catOS side. That will prevent the worm from scanning across ports in the same vlan.

One of the big issues with this worm is that it will also scan multicast addresses. We have a /20 wireless subnet with 5000 hosts active at any one time over about 1000 APs. This worm can bring the whole network to a crawl when it scans multicast.

368
Views
0
Helpful
5
Replies
CreatePlease login to create content