nanog mailing list archives
RE: Worm / UDP1434
From: Freedman David <David.Freedman () netscalibur co uk>
Date: Sun, 26 Jan 2003 09:27:45 -0000
This is exactly what we had to do, we couldn't even get to the boxes, I had a NOC engineer go and console them out of band and run a "sh port util" to find out whom the offenders were, before disabling their ports. Extreme were unhelpful, suggesting that we apply the ACL (advisory released ~6 hours after we had done it!) which really made no difference. As for multicast, I'd made sure that all VLANs had IGMP,IGMP SNOOPING and IPMC FORAWRDING disabled, but it made no real difference.... Dave. -----Original Message----- From: sjk To: andy () tigerteam net Cc: neil () DOMINO ORG; David.Freedman () netscalibur co uk; nanog () nanog org Sent: 1/26/03 5:18 AM Subject: Re: Worm / UDP1434 This is true -- the acls don't reduce the tBGTask or the tNetTask -- nor does disabling ip forwarding on the vlan. We have around ten of these, and they were hit particularly hard today. You actually have to shut down the offening hosts to set the switches right. --sjk On 25 Jan, Andy Walden wrote:
On Sat, 25 Jan 2003, Neil J. McRae wrote:Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)? They sure don't like this traffic one bit. It causes them to not only drop traffic, but spew out every available error message under the sun... Extreme are apparently assembling an "advisory TAC" on this, from our point of view, since we use the devices to do l3 aggregation (for colo and such) we've used an ACL to try and combat the offending traffic, but its not doing much good.....Do you have MCAST enabled on these switches? I'd guess this is what is causing issues on the extreme boxes.I think the architecture is flow-based, ie, the first packet of each flow hits the CPU. This is probably causing the high CPU utilization. The flow would still hit the CPU even with a ACL and then probably be written to the ASIC with a null location. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
________________________________ Do not taunt Happy Fun Ball. sjk () sleepycatz com -- Email Disclaimer can be viewed at: http://www.netscalibur.co.uk/email.html --
Current thread:
- FW: Worm / UDP1434 Freedman David (Jan 25)
- Re: FW: Worm / UDP1434 Mikael Abrahamsson (Jan 25)
- Re: Worm / UDP1434 Jack Bates (Jan 25)
- <Possible follow-ups>
- Worm / UDP1434 Freedman David (Jan 25)
- Re: Worm / UDP1434 Neil J. McRae (Jan 25)
- Re: Worm / UDP1434 Andy Walden (Jan 25)
- Re: Worm / UDP1434 K. Scott Bethke (Jan 25)
- management interface accessability (was Re: Worm / UDP1434) Paul Vixie (Jan 25)
- Re: Worm / UDP1434 Neil J. McRae (Jan 25)
- RE: Worm / UDP1434 Freedman David (Jan 26)