[27296] in North American Network Operators' Group
Re: Does Anyone Care?
daemon@ATHENA.MIT.EDU (Bjorn Carlsson)
Fri Feb 11 02:58:18 2000
To: oogali@intranova.net
Cc: nanog@nanog.org, ras@above.net, noc@qwest.net, noc@ebone.net,
noc@sprint.net, briand@teleglobe.net
From: Bjorn Carlsson <bc@ebone.net>
In-Reply-To: <Pine.BSF.4.10.10002101618520.3396-100000@hydrant.intranova.net>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20000211085554E.bc@ebone.net>
Date: Fri, 11 Feb 2000 08:55:54 +0100
Errors-To: owner-nanog-outgoing@merit.edu
Hi,
Not sure I follow. schnell.ebone.net is actually an interface of Sprint
icm-bb1-pen which connects to a FDDI ring in Pennsauken built for multicast.
The name/address (schnell.ebone.net) is there for historial reasons and
should be changed to something-else.icp.net.
As for directed broadcast it is long since turned off on all EBONE
routers.
--BC
> Ok, here's some more stuff on the directed broadcast out of the
> Sprint NAP in Pennsauken, NJ.
>
> 1) Directed broadcasts weren't disabled at the Spokane, WA router and
> whoever was doing this attack was aware of that fact. I managed to
> disable it and write that change to memory.
>
> If you decided to check that router anytime soon (spn-brdr-01) check
> the counters on the Fddi1/1/0 interface that links to the Pennsauken
> NAP. You'll see that 99% of the traffic coming through are directed
> broadcasts.
>
> 2) If you decided to restore the configuration on that router, I suggest
> you go back in and disable directed broadcasts on the Ebone interface
> (Fddi1/1/0) because it wasn't disabled when I initally logged in and
> the directed broadcast still appears to be active (4:28pm EST,
> February 10, 1999).
>
> traceroute to schnell.ebone.net (192.36.137.1): 1-30 hops, 38 byte packets
> 1 vdi-dialup.vdi.net (209.201.95.2) [AS3951 - NETBLK-ICON-NET5] 109 ms 130 ms 110 ms
> 2 router.vdi.net (209.3.31.1) [AS3951 - NETBLK-ICON-NET4] 110 ms 130 ms 120 ms
> 3 Hssi3-0-0.border2.teb1.IConNet.NET (209.3.187.253) [AS3951 - NETBLK-ICON-NET4] 120 ms 139 ms 120 ms
> 4 POS10-0-0.core1.teb1.IConNet.NET (204.245.71.201) [AS3951 - ICon CMT Corp.] 120 ms 149 ms 120 ms
> 5 205.171.4.217 (205.171.4.217) [AS3909 - Colorado Supernet, Inc.] 119 ms 149 ms 120 ms
> 6 205.171.4.134 (205.171.4.134) [AS3909 - Colorado Supernet, Inc.] 140 ms 158 ms 120 ms
> 7 schnell.ebone.net (192.36.137.1) 230 ms (ttl=244!) 259 ms (ttl=244!) *
>
> Notice the latency jump at the last hop, five other traceroutes showed
> similar data.
>
> 3) Check the NYC core router (nyc-core-01) and look at the Teleglobe and
> Spokane interfaces, earlier that day, there was approximately 75mbps
> coming in on the Teleglobe interface (POS0/0) and the same amount being
> output to the Spokane-bound interface.
>
> 4) I shutdown the Sprint interface (Fddi2/1/0) on the Spokane border
> router for about 30 seconds, and there was approximately a 5mbps
> decrease in the directed broadcasts coming from Ebone at the Pennsauken
> NAP.
>
> 5) I then shutdown the Ebone interface (Fddi1/1/0) on the Spokane border
> router for about 30 seconds, and there was approximately a 10mbps
> decrease in the outgoing traffic of the Sprint interface (Fddi2/1/0).
>
> 6) The interface statistics on the Sprint interface (Fddi2/1/0) showed
> there were some broadcasts being sent, but not as numerous as the Ebone
> the interface, I would advise you check the other side of that
> interface for abnormal activity.
>
> 7) If you normally keep track of all your customers' bandwidth
> utilization, look for excessive peaks in the incoming and outgoing
> paths along with for anything that has jumped excessively in the past
> three days.
>
> Omachonu Ogali
> Intranova Networking Group
>
