cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
0
Helpful
1
Replies

Flood protection MTU 1500 fragmented

mihaitanasescu
Level 1
Level 1

Hello,

I've just recently been faced with a flood on a 3750 that I can't seem to handle and would greatly appreciate any help offered.

I have the following setup:

24 interface used out of 48 on a Cisco 3750.

The C3750 has unicast storm control which prevents it from faillin in case of a flood with many small packets.

All this was fain until recently when the users behind it started a flood that look like this:

1) each pachet has size=ethernet MTU=1500

2) each packet has the same ID and different offsets so they are made to look like fragmented packets

3) On my Linux border router (plugged into the C3750) with tcpdump -n -i eth1 -vvv I see:

21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp

As you can see it has no udp source port or destination port in the packet header.

When this happens although the C3750 CPU is not more than 30%, all traffic that is routed through it has a loss of 80-90%.

Has anyone ever encountered this ?

Is there a way to filter it in the future ?

Any advice or some links in regard to this would be greatly appreciated.

Sorry if I have misplaced the list for problems like this.

1 Reply 1

ebreniz
Level 6
Level 6

Your problem is not very clear to me. If someone is flooding your switch with strange packets, why not tell them not to do so, or even use an ACL to block that traffic from entering the switch, if you know the real source of the traffic.

Is the destination address that you see is geniune? If not, I am guessing that the high packet loss is due the fact the switch is unable to route them and is simply dropping them.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: