Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
They sure don't like this traffic one bit. It causes them to not only drop
traffic, but spew out every available error message under the sun...
Extreme are apparently assembling an "advisory TAC" on this, from our point
of view, since we use the devices to do l3 aggregation (for colo and such)
we've used an ACL to try and combat the offending traffic, but its not doing
much good.....
David,
Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
They sure don't like this traffic one bit. It causes them to not only drop
traffic, but spew out every available error message under the sun...
We use extremes in our core and it did not log much other than CPU issues:
01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4
01/25/2003 02:20.23 <CRIT:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4
and...
01/25/2003 02:24.43 <INFO:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4
01/25/2003 02:24.42 <CRIT:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4
I did notice console messages while investigating the sources of the
traffic, but of course have no log of them now. The switches stayed up the
whole time though (yay)
Also picked up some strange messages from one of the offenders:
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.189.185.65/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.137.210.243/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 225.134.14.67/64.237.99.79
No idea yet what that is, though I assume it is coming from the monitor
port.
-Scotty
> Anybody here on list using Extreme products (Summit/ Alpine/
> Blackdiamond)? They sure don't like this traffic one bit. It causes
> them to not only drop traffic, but spew out every available error
> message under the sun...We use extremes in our core and it did not log much other than CPU issues:
01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC:
...
All of the ExtremeNetworks devices I've laid my hands on are in strict L2
mode and their management interfaces are either on private networks or behind
firewalls. If you are relying on their ACL's to protect your telnet and
snmp access, but are otherwise allowing their management interfaces to hear
traffic from the whole Internet, then you should turn in your badge and go
back to bagging groceries or whatever it is you used to do. (Same goes for
any management interface on any L1-L2-L3-L4 product made by any vendor, so
I'm not intending to pick on Extreme individually here.)
Some would argue this should apply to those exposing MSSQL to the
outside world such that it could even receive malicious port 1434
packets...
--cw
> ... If you are relying on their ACL's to protect your telnet and
> snmp access, but are otherwise allowing their management interfaces
> to hear traffic from the whole Internet, then you should turn in
> your badge and go back to bagging groceries or whatever it is you
> used to do.Some would argue this should apply to those exposing MSSQL to the
outside world such that it could even receive malicious port 1434
packets...
in fairness to microsoft, there have been worms based on apache and bind
and popper and fingerd (buffer overruns) and even sendmail (wizard password)
so the wide scale code review one gets from open source software engineering
is only a marginal solution to monocultural weakness vectors.
i wasn't pointing at microsoft
i was pointing out that leaving software completely exposed when it
need not be is potentially problematic
perhaps[1] this is worse for software which is used mostly for local
connections (ie. LAN, internal network, etc.) such as SQL servers as
opposed to software which is designed and/or required to accept
connections from all over such as a web-server or MTA
--cw
[1] where often a higher degree of paranoia exists in the programmers
mind and also the likely hood of wide-spread problems being reported
appears to be greater