nanog mailing list archives

Re: Attack on UDP 101

From: Scott Morris <swm () emanon com>
Date: Sat, 21 Jul 2012 14:50:06 -0400

A packet doesn't make a loop.  A device would create that.  So if you
are sending the packet out, but something else is sending it back, I'd
go take a look at where that's occurring on your devices.

If you disconnected the user in question, then what else has either
taken over that address, or what device is mistakenly sending things back?

Something on your network is making a decision about it, you just need
to figure out why.  ;)

Scott

On 7/21/12 2:41 PM, Shahab Vahabzadeh wrote:

Dear Stefan,
I have an 7206VXR Router with this design:

int gig 0/1: directly connected to 3750 switch (uplink to internet)
int gig 0/2: vlan termination from PSTN centers
int virtual-template1: xdsl users

Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1
that there is no such a traffic in none of routers interface, but the same
traffic is seen in 3750 peer interface.
I try to run monitor session on 3750 and monitor port traffic which I see
that packet is generating from a user and its in a loop between 3750 and
7206.
When I disconnect that user, I see that that packet is in loop again,
because of that I am sure its making a loop but I do not know the reseaon
is that packets or not.

Thanks


On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant <
sfouant () shortestpathfirst net> wrote:

Can you give us more  information? What do you mean it is causing Layer 3
loops?

Stefan Fouant

Sent from my HTC on the Now Network from Sprint!


----- Reply message -----
From: "Shahab Vahabzadeh" <sh.vahabzadeh () gmail com>
Date: Sat, Jul 21, 2012 10:50 am
Subject: Attack on UDP 101
To: <nanog () nanog org>

Hi there,
Does any body know any report about attack on UDP Port 101 which make Layer
3 Loops?
This is an example sniff:

Source IP Address is : 76.164.199.86
Source port: 62946  Destination port: 101
2012-07-21 11:11:09.646757

Thanks

--
Regards,
Shahab Vahabzadeh, Network Engineer and System Administrator

Cell Phone: +1 (415) 871 0742
PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90

Current thread:

Attack on UDP 101 Shahab Vahabzadeh (Jul 21)
- Re: Attack on UDP 101 Christopher Morrow (Jul 21)
  - Re: Attack on UDP 101 Shahab Vahabzadeh (Jul 21)
    - Re: Attack on UDP 101 Christopher Morrow (Jul 21)
- <Possible follow-ups>
- Re: Attack on UDP 101 Stefan Fouant (Jul 21)
- Re: Attack on UDP 101 Shahab Vahabzadeh (Jul 21)
  - Re: Attack on UDP 101 Scott Morris (Jul 21)
  - Re: Attack on UDP 101 Christopher Morrow (Jul 21)
    - Re: Attack on UDP 101 Shahab Vahabzadeh (Jul 21)
    - Re: Attack on UDP 101 Christopher Morrow (Jul 21)