From: Greg Ferro (gferro@spiderweb.com.au)
Date: Wed Aug 27 2003 - 19:23:44 GMT-3
I have been using flow routing to determine Nachi. You can show the cache
and see the total volume of ICMP packets. Also the source address. See
sample output below. You can find full mitigation instructions at Cisco here:-
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801b143a.shtml
Regards
Greg
wmbartr1# sh ip cache flow
IP packet size distribution (1952764 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .029 .952 .004 .001 .001 .001 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .001 .004 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
4089 active, 7 inactive, 1860266 added
6113220 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics 00:31:42
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 2319 1.2 12 100 15.1 3.5 1.8
TCP-WWW 1237 0.6 9 602 6.0 0.8 2.1
TCP-SMTP 146 0.0 142 239 10.9 3.1 1.1
TCP-other 3429 1.8 10 199 19.4 2.6 1.7
UDP-DNS 82 0.0 2 87 0.1 0.9 3.9
UDP-NTP 11 0.0 2 89 0.0 0.0 3.2
UDP-TFTP 41 0.0 1 49 0.0 0.0 4.4
UDP-Frag 106 0.0 1 100 0.0 0.7 3.9
UDP-other 985 0.5 1 272 1.0 0.5 3.8
ICMP 1851941 974.7 1 91 974.8 0.0 4.1
Total: 1860297 979.1 1 99 1027.7 0.0 4.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0.1 172.21.5.46 Null 203.77.59.126 01 0000 0800 1
Fa0/0.1 172.21.7.1 Null 172.24.78.0 01 0000 0800 1
Fa0/0.1 172.21.5.76 Null 219.232.75.190 01 0000 0800 1
Fa0/0.1 172.21.5.91 Null 218.164.170.234 01 0000 0800 1
Fa0/0.1 172.21.5.46 Null 192.111.144.80 01 0000 0800 1
Fa0/0.1 172.21.5.46 Null 61.104.93.75 01 0000 0800 1
Fa0/0.1 172.21.5.46 Null 218.140.42.175 01 0000 0800 1
Fa0/0.1 172.21.5.33 Null 172.24.140.63 01 0000 0800 1
Fa0/0.1 172.21.5.33 Null 172.24.140.62 01 0000 0800 1
Fa0/0.1 172.21.5.91 Null 61.42.93.112 01 0000 0800 1
At 02:59 PM 27/08/2003 -0500, you wrote:
>Raj,
>
>We didn't have NetFlow enabled either and Sniffer was only way. Our base
>line traffic pattern was 90% HTTP and rest others. Under Nachi attack, we
>saw 3 times more ICMP than HTTP in sniffer traces.
>
>Sam
>
>
> > Hi guys,
> >
> > Nachi virus stroke my network. My router melted down after the attack.
> >
> > As such, there are huge no of PC's sitting on the inside interface of the
>firewall. the router having the internet link is sitting on the outside
>interface of the firewall.
> >
> > The internal users/servers are connected to the PIX via a 4507 internal L3
>switch.
> >
> > I have identified the traffic coming from inside to outside on port 0800
>(icmp type 8 packet) from the patted IP to some arbitarty IPs on internet. I
>have blocked icmp on PIX and stabilised the situation.
> >
> > But I still am not sure, which hosts on the internal network is pushing
>this traffic (ie affected with nachi). Am ready to put nachi patches in all
>the 500 odd machines,
> > but is a bit tough !!!
> >
> > Is there any way to find the machine pumping this traffic from the switch
>? am not able to enable ip route-cache flow or ip accounting on the vlan
>interface nor able to enable MLS. Is there any other way to see this
>information?
> >
> > Cheers
> > Raj
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:08 GMT-3