North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: Worm / UDP1434

  • From: Mikael Abrahamsson
  • Date: Sat Jan 25 13:49:40 2003

On Sat, 25 Jan 2003, Freedman David wrote:

> Anybody here on list using Extreme products
> (Summit/Alpine/Blackdiamond)?

We extensively use extreme networks products in our core, distribution and
access. The roadrunner chipset units (Summit24/48) (used mainly for
access) dies if you try to put more than say 5 megabit/s of this flood
thru it. A lot of purely route-cache products does this, I've talked to
people with the same experience with Enterasys units etc. We had a few of 
those killed off by customers infected and buying 10 megabit/s from us.

On the other hand, our inferno chipset units (BDs with MSM64i, Summit48i 
etc) with EW 6.2.2b56 code handled this just fine. One unit which was 
directly connected to the customer which tried to put 10 megabit/s of 
flood thru it complained with some errors but there was never any problems 
logging into the unit, checking to see where the traffic was from etc. I 
was able to disable the customers vlan from the customer port and 
everything went back to normal.

> Extreme are apparently assembling an "advisory TAC" on this, from our
> point of view, since we use the devices to do l3 aggregation (for colo
> and such) we've used an ACL to try and combat the offending traffic, but
> its not doing much good.....

I just did:

create access-list block1434 udp destination any ip-port 1434 source any 
ip-port any deny ports any

Bingo, dropping several kpps of traffic thru the switch (BD with 
MSM64i) hands down, no problemo. I am quite happy with how the I-chipset 
boxen handled the situation, since they are also route cache based I 
feared they would really get struck badly but I have seen no such 
problems. 

-- 
Mikael Abrahamsson    email: [email protected]