Kazaa NBAR bug - latest PLDM??

Discussion in 'Cisco' started by P, Oct 23, 2003.

  1. P

    P Guest

    Hi all.

    Watch out for this. I would suspect that it would be common across 12.3
    IOS's..

    I had this on a 3725.. running 12.3(3). It had me stumped or ages because
    the symptoms look like a DOS attack.. I have comments/question annotated
    inline..

    http://www.cisco.com/cgi-bin/Suppor...uct=IOS&fset=NBAR&swver=&keyw=&target=&train=

    NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The problem
    was seen on a 7200-series router and 1700-series router and appears to be a
    platform-independent problem. Kazaa2 can use any available port, including
    DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
    Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and SMTP
    packets as Kazaa2 traffic. This problem is only seen when the number of
    active links reaches a fairly high value (such as 3900), as seen in "show ip
    nbar esources".

    *note, I had this with active links much less - like 180*


    This problem results in non-Kazaa2 traffic being matched and having actions
    taken on the traffic that are detrimental to network performance, such as
    the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2 traffic
    was configured to be rate-limited / policed). It can also cause other
    features to fail, such as vpn tunnels not coming up, because the packets
    needed to establish the connections are incorrectly marked as Kazaa2 traffic
    and possibly dropped or rate-limited.

    The solution is to load the latest Kazaa2 PDLM, currently available on CCO
    and use the "ip nbar pdlm" command to load the PDLM from flash.

    There are a couple workarounds if the new PDLM cannot be downloaded yet. One
    workaround is to do "no ip nbar resources"; however, the problem will return
    after awhile. Another workaround is to remove "match protocol kazaa2".

    *Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and my
    IOS was compiled in September 03. So is this definitely the latest one??*

    thanks

    P
     
    P, Oct 23, 2003
    #1
    1. Advertising

  2. P

    mimiseh Guest

    Can you points me to a cisco's link that explain how to inplement NBAR to
    block Kazaa traffic.
    "P" <> wrote in message
    news:ZRPlb.256$...
    > Hi all.
    >
    > Watch out for this. I would suspect that it would be common across 12.3
    > IOS's..
    >
    > I had this on a 3725.. running 12.3(3). It had me stumped or ages because
    > the symptoms look like a DOS attack.. I have comments/question annotated
    > inline..
    >
    >

    http://www.cisco.com/cgi-bin/Suppor...uct=IOS&fset=NBAR&swver=&keyw=&target=&train=
    >
    > NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The problem
    > was seen on a 7200-series router and 1700-series router and appears to be

    a
    > platform-independent problem. Kazaa2 can use any available port, including
    > DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
    > Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and

    SMTP
    > packets as Kazaa2 traffic. This problem is only seen when the number of
    > active links reaches a fairly high value (such as 3900), as seen in "show

    ip
    > nbar esources".
    >
    > *note, I had this with active links much less - like 180*
    >
    >
    > This problem results in non-Kazaa2 traffic being matched and having

    actions
    > taken on the traffic that are detrimental to network performance, such as
    > the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2 traffic
    > was configured to be rate-limited / policed). It can also cause other
    > features to fail, such as vpn tunnels not coming up, because the packets
    > needed to establish the connections are incorrectly marked as Kazaa2

    traffic
    > and possibly dropped or rate-limited.
    >
    > The solution is to load the latest Kazaa2 PDLM, currently available on CCO
    > and use the "ip nbar pdlm" command to load the PDLM from flash.
    >
    > There are a couple workarounds if the new PDLM cannot be downloaded yet.

    One
    > workaround is to do "no ip nbar resources"; however, the problem will

    return
    > after awhile. Another workaround is to remove "match protocol kazaa2".
    >
    > *Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and my
    > IOS was compiled in September 03. So is this definitely the latest one??*
    >
    > thanks
    >
    > P
    >
    >
     
    mimiseh, Oct 23, 2003
    #2
    1. Advertising

  3. P

    Hugo Drax Guest

    "P" <> wrote in message
    news:ZRPlb.256$...
    > Hi all.
    >
    > Watch out for this. I would suspect that it would be common across 12.3
    > IOS's..
    >
    > I had this on a 3725.. running 12.3(3). It had me stumped or ages because
    > the symptoms look like a DOS attack.. I have comments/question annotated
    > inline..
    >
    >

    http://www.cisco.com/cgi-bin/Suppor...uct=IOS&fset=NBAR&swver=&keyw=&target=&train=
    >


    does 12.3.3a resolve this? or will I have to wait til 12.3.4
     
    Hugo Drax, Oct 23, 2003
    #3
  4. P

    P Guest

    not according to the bug entry..

    but I'm about to whack it on and see..

    "Hugo Drax" <> wrote in message
    news:bn92c1$u56f9$-berlin.de...
    >
    > "P" <> wrote in message
    > news:ZRPlb.256$...
    > > Hi all.
    > >
    > > Watch out for this. I would suspect that it would be common across 12.3
    > > IOS's..
    > >
    > > I had this on a 3725.. running 12.3(3). It had me stumped or ages

    because
    > > the symptoms look like a DOS attack.. I have comments/question annotated
    > > inline..
    > >
    > >

    >

    http://www.cisco.com/cgi-bin/Suppor...uct=IOS&fset=NBAR&swver=&keyw=&target=&train=
    > >

    >
    > does 12.3.3a resolve this? or will I have to wait til 12.3.4
    >
    >
     
    P, Oct 23, 2003
    #4
  5. P

    P Guest

    just search cisco for nbar.. its in the ios security config guide most
    likely

    "mimiseh" <> wrote in message
    news:3URlb.1246$...
    > Can you points me to a cisco's link that explain how to inplement NBAR to
    > block Kazaa traffic.
    > "P" <> wrote in message
    > news:ZRPlb.256$...
    > > Hi all.
    > >
    > > Watch out for this. I would suspect that it would be common across 12.3
    > > IOS's..
    > >
    > > I had this on a 3725.. running 12.3(3). It had me stumped or ages

    because
    > > the symptoms look like a DOS attack.. I have comments/question annotated
    > > inline..
    > >
    > >

    >

    http://www.cisco.com/cgi-bin/Suppor...uct=IOS&fset=NBAR&swver=&keyw=&target=&train=
    > >
    > > NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The

    problem
    > > was seen on a 7200-series router and 1700-series router and appears to

    be
    > a
    > > platform-independent problem. Kazaa2 can use any available port,

    including
    > > DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
    > > Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and

    > SMTP
    > > packets as Kazaa2 traffic. This problem is only seen when the number of
    > > active links reaches a fairly high value (such as 3900), as seen in

    "show
    > ip
    > > nbar esources".
    > >
    > > *note, I had this with active links much less - like 180*
    > >
    > >
    > > This problem results in non-Kazaa2 traffic being matched and having

    > actions
    > > taken on the traffic that are detrimental to network performance, such

    as
    > > the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2

    traffic
    > > was configured to be rate-limited / policed). It can also cause other
    > > features to fail, such as vpn tunnels not coming up, because the packets
    > > needed to establish the connections are incorrectly marked as Kazaa2

    > traffic
    > > and possibly dropped or rate-limited.
    > >
    > > The solution is to load the latest Kazaa2 PDLM, currently available on

    CCO
    > > and use the "ip nbar pdlm" command to load the PDLM from flash.
    > >
    > > There are a couple workarounds if the new PDLM cannot be downloaded yet.

    > One
    > > workaround is to do "no ip nbar resources"; however, the problem will

    > return
    > > after awhile. Another workaround is to remove "match protocol kazaa2".
    > >
    > > *Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and

    my
    > > IOS was compiled in September 03. So is this definitely the latest

    one??*
    > >
    > > thanks
    > >
    > > P
    > >
    > >

    >
    >
     
    P, Oct 23, 2003
    #5
  6. P

    Hugo Drax Guest

    "P" <> wrote in message
    news:ctYlb.336$...
    > not according to the bug entry..
    >
    > but I'm about to whack it on and see..
    >


    That sucks, I was planning to move to 12.3 code on a 7200 for that reason
    but I will not risk it if they do not resolve that issue in a 12.3.x release
     
    Hugo Drax, Oct 24, 2003
    #6
  7. P

    Richard Deal Guest

    Hugo,

    It's not a big deal...just download the PLDM file to flash and have the IOS
    load it. This is pretty cool since it provides modularity without having to
    reboot the IOS--sort of like a callable module. NBAR is actually one of my
    favorite features in the IOS--you can do some really neat filtering stuff
    with it.

    Hope this helps!

    Cheers!
    --

    Richard A. Deal

    Visit my home page at http://home.cfl.rr.com/dealgroup/

    Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
    Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
    CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

    Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
    exams on the market.



    "Hugo Drax" <> wrote in message
    news:bna54l$u3jqg$-berlin.de...
    >
    > "P" <> wrote in message
    > news:ctYlb.336$...
    > > not according to the bug entry..
    > >
    > > but I'm about to whack it on and see..
    > >

    >
    > That sucks, I was planning to move to 12.3 code on a 7200 for that reason
    > but I will not risk it if they do not resolve that issue in a 12.3.x

    release
    >
    >
    >
     
    Richard Deal, Oct 24, 2003
    #7
  8. P

    P Guest

    Hey Richard

    I was bothered by the fact that the PDLM was dated 6 months prior to the IOS
    image I have..

    Why wasn't 6 month old PDLM image invluded with NBAr in 12.3(3)?

    "Richard Deal" <> wrote in message
    news:cRcmb.31399$...
    > Hugo,
    >
    > It's not a big deal...just download the PLDM file to flash and have the

    IOS
    > load it. This is pretty cool since it provides modularity without having

    to
    > reboot the IOS--sort of like a callable module. NBAR is actually one of my
    > favorite features in the IOS--you can do some really neat filtering stuff
    > with it.
    >
    > Hope this helps!
    >
    > Cheers!
    > --
    >
    > Richard A. Deal
    >
    > Visit my home page at http://home.cfl.rr.com/dealgroup/
    >
    > Author of CCNA Cisco Certified Network Associate Study Guide (Exam

    640-801),
    > Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
    > CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam

    Cram
    >
    > Cisco Test Prep author for QuizWare, providing the most comprehensive

    Cisco
    > exams on the market.
    >
    >
    >
    > "Hugo Drax" <> wrote in message
    > news:bna54l$u3jqg$-berlin.de...
    > >
    > > "P" <> wrote in message
    > > news:ctYlb.336$...
    > > > not according to the bug entry..
    > > >
    > > > but I'm about to whack it on and see..
    > > >

    > >
    > > That sucks, I was planning to move to 12.3 code on a 7200 for that

    reason
    > > but I will not risk it if they do not resolve that issue in a 12.3.x

    > release
    > >
    > >
    > >

    >
    >
     
    P, Oct 25, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BenH

    Streaming Media and NBAR

    BenH, Nov 18, 2003, in forum: Cisco
    Replies:
    0
    Views:
    431
  2. Arawak
    Replies:
    20
    Views:
    3,953
  3. janet_princess_2k
    Replies:
    0
    Views:
    498
    janet_princess_2k
    Aug 9, 2006
  4. traveler 66

    Latest Tor Bug Fixes

    traveler 66, Dec 17, 2006, in forum: Computer Security
    Replies:
    0
    Views:
    561
    traveler 66
    Dec 17, 2006
  5. A bug catalogue for bug lovers!

    , Sep 16, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    547
Loading...

Share This Page