[FYI] Broadcasts at NAPs

Mailman List Mirror (Read Only)
1

This ICMP discussion reminded me that we've been logging broadcasts
for a while at ME to see what percentage of traffic they represented
and what it was (the wrong way round to track back thru ICMP DoS
attacks).

If anyone's interested, the results are :

192.41.177.255 (254376 matches)
255.255.255.255 (1694830 matches)
any other dest. (1047899270 matches)

which is 0.18% of the total accounted for by broadcasts. Bad, of
course, but not as bad as I thought. I guess the bigger the provider
the smaller percentage of total (that 1billion is total input on our
FDDI since I applied the list, rather than total packets on the LAN)

I'm assuming that a billion packets is enough to be a representative
sample.

A bit of a breakdown from the logs :

Split of broadcasts is

  ICMP 12%
  UDP 88%

(actually, there were 5 packets for protocol 9 (private IGP?) but
that's neither here nor there)

Port breakdown (based on a smaller sample to save resources)

ICMP

2

5841 = ??? (is this CDP?)

I believe cdp uses the layer 2 HDLC protocol.
Interesting troubleshooting tool, if you connect 2 cisco's together
youll be able to sh cdp neigh and see it up even if IP isnt working.

Glynn

3

I knew as soon as I hit send that Id messed that up... obviously it cant
use HDLC or it wouldnt work on Ethernet/tokenring/fddi etc...

cdp is a media and protocol independnt protocol that runs athe data-link
layer, sending periodic messages to a multicast address.

yes it would use hdlc for serial lines, but not for anything else.

Sorry for any oconfusion.
Glynn