Weird flood DOS protocol 11?

Discussion in 'Cisco' started by PNC, Dec 18, 2003.

  1. PNC

    PNC Guest

    Hi,

    For the last few days, we've been flooded via, apparently port 0
    protocol 11. According to 'sh ip cache flow':

    Gi5/0 211.107.209.26 PO1/1 ***.***.***.*** 11 0000 0000 24K
    Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 16K
    Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 41K
    Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 21K
    Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 53K
    Gi5/0 211.203.182.159 PO1/1 ***.***.***.*** 11 0000 0000 22K
    Gi5/0 218.39.131.202 PO1/1 ***.***.***.*** 11 0000 0000 61K
    Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 59K
    Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 70K
    Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 51K
    Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 61K
    Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 66K
    Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 78K
    Gi5/0 221.138.57.161 PO1/1 ***.***.***.*** 11 0000 0000 18K

    I had assumed that a 'deny 11 any any' would have blocked them,
    however, these hits seem to go through the access list just fine, even
    when 'deny 11 any any' is at the top of the list. I have tested it
    with that statement being the only deny statement on the list:

    ip access-list extended 100
    deny 11 any any
    permit ip any any

    Then applied to the interface via 'ip access-group extended 100 in'.
    Other access lists work fine applied the same way. A 'show ip access
    list 100' shows no hits to the deny statement.

    These floods are sometimes up to more than 100mbps and affects our
    client's 100mbps ethernet line.

    Any ideas as to which would be the correct access list for it?

    Peter :)
     
    PNC, Dec 18, 2003
    #1
    1. Advertising

  2. In article <>,
    (PNC) wrote:

    > Hi,
    >
    > For the last few days, we've been flooded via, apparently port 0
    > protocol 11. According to 'sh ip cache flow':
    >
    > Gi5/0 211.107.209.26 PO1/1 ***.***.***.*** 11 0000 0000 24K
    > Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 16K
    > Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 41K
    > Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 21K
    > Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 53K
    > Gi5/0 211.203.182.159 PO1/1 ***.***.***.*** 11 0000 0000 22K
    > Gi5/0 218.39.131.202 PO1/1 ***.***.***.*** 11 0000 0000 61K
    > Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 59K
    > Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 70K
    > Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 51K
    > Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 61K
    > Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 66K
    > Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 78K
    > Gi5/0 221.138.57.161 PO1/1 ***.***.***.*** 11 0000 0000 18K
    >
    > I had assumed that a 'deny 11 any any' would have blocked them,
    > however, these hits seem to go through the access list just fine, even
    > when 'deny 11 any any' is at the top of the list. I have tested it
    > with that statement being the only deny statement on the list:
    >
    > ip access-list extended 100
    > deny 11 any any
    > permit ip any any


    Protocol numbers in "show ip cache flow" are in hex, but they're in
    decimal in access lists. So if you want to block these, you need to use
    "deny 17 any any".

    BTW, protocol 17 is UDP, so "deny udp any any" would also work.

    --
    Barry Margolin,
    Arlington, MA
     
    Barry Margolin, Dec 19, 2003
    #2
    1. Advertising

  3. PNC

    ZeroKool Guest

    According to IANA protocol 11 is NVP-II Network Voice Protocol
    [RFC741,SC3]


    http://www.iana.org/assignments/protocol-numbers

    Mirror the port Sniff the packets might give you better insight.

    --
    Majid


    "PNC" <> wrote in message
    news:...
    > Hi,
    >
    > For the last few days, we've been flooded via, apparently port 0
    > protocol 11. According to 'sh ip cache flow':
    >
    > Gi5/0 211.107.209.26 PO1/1 ***.***.***.*** 11 0000 0000 24K
    > Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 16K
    > Gi5/0 211.202.255.169 PO1/1 ***.***.***.*** 11 0000 0000 41K
    > Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 21K
    > Gi5/0 211.202.73.224 PO1/1 ***.***.***.*** 11 0000 0000 53K
    > Gi5/0 211.203.182.159 PO1/1 ***.***.***.*** 11 0000 0000 22K
    > Gi5/0 218.39.131.202 PO1/1 ***.***.***.*** 11 0000 0000 61K
    > Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 59K
    > Gi5/0 218.49.121.104 PO1/1 ***.***.***.*** 11 0000 0000 70K
    > Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 51K
    > Gi5/0 218.50.132.111 PO1/1 ***.***.***.*** 11 0000 0000 61K
    > Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 66K
    > Gi5/0 219.250.131.26 PO1/1 ***.***.***.*** 11 0000 0000 78K
    > Gi5/0 221.138.57.161 PO1/1 ***.***.***.*** 11 0000 0000 18K
    >
    > I had assumed that a 'deny 11 any any' would have blocked them,
    > however, these hits seem to go through the access list just fine, even
    > when 'deny 11 any any' is at the top of the list. I have tested it
    > with that statement being the only deny statement on the list:
    >
    > ip access-list extended 100
    > deny 11 any any
    > permit ip any any
    >
    > Then applied to the interface via 'ip access-group extended 100 in'.
    > Other access lists work fine applied the same way. A 'show ip access
    > list 100' shows no hits to the deny statement.
    >
    > These floods are sometimes up to more than 100mbps and affects our
    > client's 100mbps ethernet line.
    >
    > Any ideas as to which would be the correct access list for it?
    >
    > Peter :)
     
    ZeroKool, Dec 20, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.comcast.giganews.com

    Protocol Chart - Learn how to use a Protocol Analyzer

    news.comcast.giganews.com, Aug 21, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    2,865
    news.comcast.giganews.com
    Aug 21, 2004
  2. pi1220
    Replies:
    0
    Views:
    1,006
    pi1220
    Feb 12, 2004
  3. grzybek

    PIX - Flood Defender

    grzybek, Feb 23, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,458
    Martin Bilgrav
    Feb 23, 2004
  4. Don
    Replies:
    5
    Views:
    2,057
    °Mike°
    Feb 11, 2004
  5. Igor Mamuziæ

    IOS DoS defense causes DoS to itself:)

    Igor Mamuziæ, May 12, 2006, in forum: Cisco
    Replies:
    2
    Views:
    546
    Igor Mamuzic
    May 20, 2006
Loading...

Share This Page