Re: Attack on UDP 101

[Christopher Morrow <morrowc.lists () gmail com>]

On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh
<sh.vahabzadeh () gmail com> wrote:
> Dear Stefan,
> I have an 7206VXR Router with this design:
>
> int gig 0/1: directly connected to 3750 switch (uplink to internet)
> int gig 0/2: vlan termination from PSTN centers
> int virtual-template1: xdsl users
>
> Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1
> that there is no such a traffic in none of routers interface, but the same
> traffic is seen in 3750 peer interface.
> I try to run monitor session on 3750 and monitor port traffic which I see
> that packet is generating from a user and its in a loop between 3750 and
> 7206.

I suspect that the 7206 and 3750 both thing the other guy has
default... and with no more specific to follow the packet just
pingpongs between the 2 devices. I would also suspect you see this for
more than one destination :(

picking just one entry (last entry I see) from route-views.routeviews.org:
BGP routing table entry for 76.164.192.0/19, version 708055091
Paths: (35 available, best #31, table Default-IP-Routing-Table)
...
4436 6939 53340 36114
    69.31.111.244 from 69.31.111.244 (69.31.111.244)
      Origin IGP, metric 0, localpref 100, valid, external
      Community: 4436:21216

all of 36114(versaweb) traffic would seem to head through
53340(vegasnap) on the way home, so... maybe something else is going
on like you didn't accept transit routes (or send them or something
else) from your transit? hard to say with as little info as we see
here, but :)

> When I disconnect that user, I see that that packet is in loop again,
> because of that I am sure its making a loop but I do not know the reseaon
> is that packets or not.
>
> Thanks
>
>
> On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant <
> sfouant () shortestpathfirst net> wrote:
>
> > Can you give us more  information? What do you mean it is causing Layer 3
> > loops?
> >
> > Stefan Fouant
> >
> > Sent from my HTC on the Now Network from Sprint!
> >
> >
> > ----- Reply message -----
> > From: "Shahab Vahabzadeh" <sh.vahabzadeh () gmail com>
> > Date: Sat, Jul 21, 2012 10:50 am
> > Subject: Attack on UDP 101
> > To: <nanog () nanog org>
> >
> > Hi there,
> > Does any body know any report about attack on UDP Port 101 which make Layer
> > 3 Loops?
> > This is an example sniff:
> >
> > Source IP Address is : 76.164.199.86
> > Source port: 62946  Destination port: 101
> > 2012-07-21 11:11:09.646757
> >
> > Thanks
> >
> > --
> > Regards,
> > Shahab Vahabzadeh, Network Engineer and System Administrator
> >
> > Cell Phone: +1 (415) 871 0742
> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>
>
> --
> Regards,
> Shahab Vahabzadeh, Network Engineer and System Administrator
>
> Cell Phone: +1 (415) 871 0742
> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90