Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DOS attack fills input queue?

  • From: Scott Call
  • Date: Sun Aug 03 15:14:28 2003


One of my FE interfaces was "stuttering" this morning, and when I checked it out, it had an input queue of 76/75 which of course made me think of the recent Cisco vulnerability, which we have upgraded IOS and added ACLs to counteract.

I checked the ACLs and they hadn't caught any traffic from the "bad four" protocols, only TCP and UDP, so I started to investigate.
The packets (as pulled from the buffer) have headers like:
Buffer information for Small buffer at 0x42561A68
data_area 0x42561D18, refcount 1, next 0x41C4F394, flags 0xA00
linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
if_input 0x42E47824 (FastEthernet4/0/0.7), if_output 0x0 (None)
inputtime 0x1433CC, outputtime 0x0, oqnumber 65535
datagramstart 0x42561D5E, datagramsize 60, maximum size 260
mac_start 0x42561D5E, addr_start 0x42561D5E, info_start 0x0
network_start 0x42561D6C, transport_start 0x42561D78, caller_pc 0x403F5BD4

source: 71.209.243.3, destination: 163.29.243.5, id: 0x0100, ttl: 128,
TOS: 0 prot: 6, source port 0, destination port 40

Buffer information for Small buffer at 0x425868E4
data_area 0x42586B94, refcount 1, next 0x4253BC7C, flags 0xA00
linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
if_input 0x42E47824 (FastEthernet4/0/0.7), if_output 0x0 (None)
inputtime 0x96724, outputtime 0x0, oqnumber 65535
datagramstart 0x42586BDA, datagramsize 60, maximum size 260
mac_start 0x42586BDA, addr_start 0x42586BDA, info_start 0x0
network_start 0x42586BE8, transport_start 0x42586BFC, caller_pc 0x403F5BD4
source: 224.209.80.156, destination: 163.29.243.5, id: 0x0100, ttl: 128,
TOS: 0 prot: 6, source port 0, destination port 40


and so on....

Random sources, same destination, same source/destination port pairs (0/40 tcp)

I added:
access-list 111 deny tcp any host 163.29.243.5
access-list 111 deny tcp host 163.29.243.5 any

to the interface and it did not catch any of them, and the input queue returned to 76/75 (when the customer is disconnected the queue empties back to 0/75, when I re-enable their switchport, it takes 30-60 seconds to fill back up).

I'm sure the packets are problably just one of the latest windows worms, but what concerns me is that I can't seem to catch them in an ACL before they cause damage to the router.

The router is a 7507 with 12.0.25S on it. Since 12.0.25S has given me (unreleated) problems on other boxes, and been pulled by Cisco, I've scheduled a reload to 12.0.21S7 tonight. I don't know if that will, however, fix this problem, so I wanted to both ask for the advice of, and maybe raise a red flag for, the nanog folks out there who might run into the same thing.

Thanks
-Scott






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.