Attacking on Source Port 0 (ZERO)
Hi everybody, Does any body know what kind of attack can be come to port 0? I see such a logs in my routers which make high cpu loads: MYROUTERIP:0 *41.78.77.178:2816* MYROUTERIP:0 *217.160.5.153:2816* Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote:
Does any body know what kind of attack can be come to port 0?
If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS attack. If it's port 0, you may be incorrectly blocking non-initial fragments. Alternately, it could represent a fragmented DDoS attack, either non-initial fragments fired directly against something on your network or as the result of a DNS reflection/amplification attack against something on your network. The log fragment you posted doesn't provide enough detail to make an informed judgement. Also, you should not place servers behind a stateful firewall, anyways. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Hi there, It was TCP and I think it was not a DDoS attack because the traffic was not heavy. But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR. I think it act like a warm or some attacks which cause high CPU load in some IOS. Thanks On Sun, Oct 14, 2012 at 5:13 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote:
Does any body know what kind of attack can be come to port 0?
If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS attack.
If it's port 0, you may be incorrectly blocking non-initial fragments. Alternately, it could represent a fragmented DDoS attack, either non-initial fragments fired directly against something on your network or as the result of a DNS reflection/amplification attack against something on your network.
The log fragment you posted doesn't provide enough detail to make an informed judgement. Also, you should not place servers behind a stateful firewall, anyways.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
-- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
On 14/10/2012 20:59, Shahab Vahabzadeh wrote:
But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR.
If you haven't already configured CoPP on your BRASs, you might want to look at deploying it. It won't solve this sort of problem, but it will probably help:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/pro...
There are many other configuration examples and documentation pages on the web, but this one gives a good overview. Nick
On Oct 15, 2012, at 3:57 AM, Nick Hilliard wrote:
If you haven't already configured CoPP on your BRASs, you might want to look at deploying it.
CoPP is pretty much a wash on software-based boxes; it only really helps on hardware-based boxes. And iACLs is easier/a bigger win, anyways (though anyone using software-based boxes on the Internet in 2012 is just waiting to be zorched). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Oct 15, 2012, at 2:59 AM, Shahab Vahabzadeh wrote:
I think it act like a warm or some attacks which cause high CPU load in some IOS.
i.e., a DDoS attack. You should configure iACLs at your edge so that random sources on the Internet can't packet your routers. Hopefully, you have hardware-based edge devices, not just software-based devices and (awful) stateful firewalls - the days of software-based devices on the Internet were over years ago. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Oct 14, 2012, at 9:02 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
Hopefully, you have hardware-based edge devices, not just software-based devices and (awful) stateful firewalls - the days of software-based devices on the Internet were over years ago.
Software forwarding is usually only a problem if you have the $5 CPU that Cisco puts in their $30K boxes. The overwhelming majority of edge connections are <=1Gbps. A modern x86 can handle several of these connections *per core* at minimum packet sizes with stock Linux/BSD, including ACLs. 10G+ forwarding with minimum packet sizes is possible on a single core using optimized kernels (see Intel DPDK and PF_RING DNA). You don't need to handle more packets than you can possibly receive over your interfaces.
On Oct 16, 2012, at 8:57 AM, Ryan Malayter wrote:
10G+ forwarding with minimum packet sizes is possible on a single core using optimized kernels (see Intel DPDK and PF_RING DNA).
Of course it isn't. You can *approach* 10gb/sec with multiple cores and minimum packet sizes, granted.
You don't need to handle more packets than you can possibly receive over your interfaces.
Yes, you do, because forwarding 64-byte packets at 'line-rate', whilst very important, isn't the only metric. I know all about the forwarding capabilities of modern general-purpose CPUs, ring-buffers, et. al. I know what is possible, and what isn't possible. And please, no more from the Vyatta crowd, et. al. - they're like the s/Flow shouters, only more so. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Roland, Sent from my iPhone On Oct 15, 2012, at 7:47 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
I know all about the forwarding capabilities of modern general-purpose CPUs, ring-buffers, et. al. I know what is possible, and what isn't possible. And please, no more from the Vyatta crowd, et. al. - they're like the s/Flow shouters, only more so.
What is possible these days with ivy bridge based CPUs and the DPDK? How many pps can you do per core assuming you are using the highest performing CPU currently commercially available?
participants (5)
-
Dobbins, Roland
-
Nick Hilliard
-
Ryan Malayter
-
Shahab Vahabzadeh
-
Steven Noble