From: Roberts, Larry (Larry.Roberts@xxxxxxxxxxxx)
Date: Fri May 17 2002 - 12:31:45 GMT-3
Something that I do is to create access-lists.
I start with a permit tcp any any,permit udp any any and permit ip any any.
I watch the hit counts and see which one is taking the most traffic.
If its TCP that is taking the most hits, I then create a permit udp any any,
and a series of TCP any any lt 100,lt 200,lt 300, lt 400 etcc...up to about
1024 and from there go up by 500 at a time. This will allow you to see what
port range is generating the most traffic. Once I get it down to a block of
traffic that is at 100, I replete for that same 100 block, but use lt 100,lt
110,lt 120...till I get the 10-20 port range. Next step is write another
access-list that has a log-input on the ports in question. Now I will see
which device (devices) are generating the traffic. Yes I could do this with
just a tcp any any log-input, but it is a pain to try and go through the
logs, and most certainly requires a syslog server if you have more that 1
device talking..
Just my approach however..
Thanks
Larry
-----Original Message-----
From: Murali Rao [mailto:muralig19@yahoo.com]
Sent: Friday, May 17, 2002 5:45 AM
To: ccielab@groupstudy.com
Subject: OT: Slow links....Nimda/codered???
Hello All.
Sorry for this OT but i need some help immediately.
My customer's network has become dead slow since the last 4 dyas. It is a
hub spoke topology with 3660 as hub and 1750s as spokes.
The txload and rrxload on sh int serial output shows as
much as 255/255 even when there are no user applications running.
Suspecting problems with serial line, i brought up the
backup ISDN and the same thing repeats on the ISDN as well.
So there definitly is a heavy traffic being pumped into the network. No high
cpu utilizations seen as well. Suspecting nimda/codered worm, i found on the
CCO, configurations to block these worms from crossing the routers. I have
tried these configs at all the routers with out any use. Can someone have a
look at these configs and see if i am missing something or suggest any other
way of killing this issue? This is making the links so slow that voip calls
are suffering.
class-map match-any http-attacks
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
!
!
policy-map mark-inbound-http-attacks
class http-attacks
set ip dscp 1
interface fastethernet 0/0
ip access-group 189 in
ip access-group 189 out
service-policy input mark-inbound-http-attacks
access-list 189 deny ip any any dscp 1 log
access-list 189 permit ip any any
I have applied the policy map to ethernet interfaces on all
the routers thinking that this will block any patterns that match the
class-map.
Am i doing somehting wrong here? can this be handled in a different way? Any
help is appreciated.
Murali.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:59 GMT-3