Re: Does Anyone Care?

North American Network Operators Group
Re: Does Anyone Care?

From: Bjorn Carlsson
Date: Fri Feb 11 02:59:06 2000
Hi,

Not sure I follow. schnell.ebone.net is actually an interface of Sprint
icm-bb1-pen which connects to a FDDI ring in Pennsauken built for multicast.
The name/address (schnell.ebone.net) is there for historial reasons and
should be changed to something-else.icp.net.

As for directed broadcast it is long since turned off on all EBONE
routers.

--BC

> Ok, here's some more stuff on the directed broadcast out of the 
> Sprint NAP in Pennsauken, NJ.
> 
> 1) Directed broadcasts weren't disabled at the Spokane, WA router and
>    whoever was doing this attack was aware of that fact. I managed to
>    disable it and write that change to memory.
> 
>    If you decided to check that router anytime soon (spn-brdr-01) check
>    the counters on the Fddi1/1/0 interface that links to the Pennsauken
>    NAP. You'll see that 99% of the traffic coming through are directed
>    broadcasts.
> 
> 2) If you decided to restore the configuration on that router, I suggest
>    you go back in and disable directed broadcasts on the Ebone interface
>    (Fddi1/1/0) because it wasn't disabled when I initally logged in and
>    the directed broadcast still appears to be active (4:28pm EST,
>    February 10, 1999).
> 
>    traceroute to schnell.ebone.net (192.36.137.1): 1-30 hops, 38 byte packets
>     1  vdi-dialup.vdi.net (209.201.95.2) [AS3951 - NETBLK-ICON-NET5]  109 ms 130 ms  110 ms
>     2  router.vdi.net (209.3.31.1) [AS3951 - NETBLK-ICON-NET4]  110 ms 130 ms  120 ms
>     3  Hssi3-0-0.border2.teb1.IConNet.NET (209.3.187.253) [AS3951 - NETBLK-ICON-NET4]  120 ms  139 ms  120 ms
>     4  POS10-0-0.core1.teb1.IConNet.NET (204.245.71.201) [AS3951 - ICon CMT Corp.]  120 ms  149 ms  120 ms
>     5  205.171.4.217 (205.171.4.217) [AS3909 - Colorado Supernet, Inc.] 119 ms  149 ms  120 ms
>     6  205.171.4.134 (205.171.4.134) [AS3909 - Colorado Supernet, Inc.] 140 ms  158 ms  120 ms
>     7  schnell.ebone.net (192.36.137.1)  230 ms (ttl=244!)  259 ms (ttl=244!)  *
> 
>    Notice the latency jump at the last hop, five other traceroutes showed
>    similar data.
> 
> 3) Check the NYC core router (nyc-core-01) and look at the Teleglobe and
>    Spokane interfaces, earlier that day, there was approximately 75mbps
>    coming in on the Teleglobe interface (POS0/0) and the same amount being
>    output to the Spokane-bound interface.
> 
> 4) I shutdown the Sprint interface (Fddi2/1/0) on the Spokane border
>    router for about 30 seconds, and there was approximately a 5mbps  
>    decrease in the directed broadcasts coming from Ebone at the Pennsauken
>    NAP.
> 
> 5) I then shutdown the Ebone interface (Fddi1/1/0) on the Spokane border
>    router for about 30 seconds, and there was approximately a 10mbps  
>    decrease in the outgoing traffic of the Sprint interface (Fddi2/1/0).
> 
> 6) The interface statistics on the Sprint interface (Fddi2/1/0) showed
>    there were some broadcasts being sent, but not as numerous as the Ebone
>    the interface, I would advise you check the other side of that
>    interface for abnormal activity.
> 
> 7) If you normally keep track of all your customers' bandwidth
>    utilization, look for excessive peaks in the incoming and outgoing
>    paths along with for anything that has jumped excessively in the past
>    three days.
> 
> Omachonu Ogali
> Intranova Networking Group
>
Prev by Date: Re: Cisco says attacks are due to operational practices
Next by Date: Re: Cisco says attacks are due to operational practices
Date Index
Thread Index
Author Index
Historical