From: Weidong Xiao (Weidong.Xiao@vi.net)
Date: Mon Feb 24 2003 - 11:17:13 GMT-3
Thanks guys,
We are under a DDOS attack. The forged packets not only use source IP from bogon list, but also some real IPs. That's why I put ACL 180 there. ACL 2010 can be found at Bogon list:
http://www.cymru.com/Documents/secure-ios-template.html
All the vlans enabled ip route-cache or ip route-cache flow.
A more strange thing is that if I "ip route TARGET-IP 255.255.255.255 Null 0", the cpu usuage is even more higher.
Any ideas?
Thanks,
Weidong
-----------------------------------
interface Vlan11
description INTERNET FEED 1
ip address XXXX 255.255.255.252
ip access-group 2010 in
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit input access-group 150 2008000 250000 250000 conform-action transmit exceed-action
drop
rate-limit input access-group 160 496000 62500 62500 conform-action transmit exceed-action dro
p
rate-limit input access-group 170 5000000 375000 375000 conform-action transmit exceed-action
drop
rate-limit input access-group 180 2496000 375000 375000 conform-action transmit exceed-action
drop <---- RATE LIMIT TRAFFIC TO THE TARGET
ip route-cache flow
!
access-list 150 remark CAR-UDP ACL
access-list 150 permit udp any any
access-list 160 remark CAR-ICMP ACL
access-list 160 permit icmp any any
access-list 170 remark CAR-Multicast ACL
access-list 170 permit ip any 224.0.0.0 15.255.255.255
access-list 180 permit ip any host 212.X.X.228 <---TARGET OF DDOS
br1.bb.rtr#sh ip int vlan 11
...
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow, CEF
...
br1.bb.rtr>sh proc cpu
CPU utilization for five seconds: 78%/65%; one minute: 82%; five minutes: 76%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
...
19 1522784 1628657 934 9.22% 7.59% 6.93% 0 IP Input
...
67 1190176 2757 431692 6.14% 2.06% 2.20% 0 BGP Scanner
69 276 1360 202 0.00% 0.00% 0.00% 0 TACACS+
> -----Original Message-----
> From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> Sent: 24 February 2003 00:45
> To: Weidong Xiao; ccielab@groupstudy.com
> Subject: Re: cpu usuage high
>
>
> It's IP traffic going through the router. But there can be
> many reasons why
> the utilization is high. Some of those are:
>
> Access lists
> NAT
> a DOS occurring
> a poor configuration - disabled route-cache, etc
> Older IOS version which doesn't support fast switching of
> certain traffic
> types.
>
> Here's a pretty good doc on it:
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/product
s_tech_note091
86a00800a70f2.shtml
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Weidong Xiao" <Weidong.Xiao@vi.net>
To: <ccielab@groupstudy.com>
Sent: Sunday, February 23, 2003 5:34 PM
Subject: cpu usuage high
> Hi Group,
>
> A cat6509 is receiving about 30Mb/s traffic from the Internet. Normally
the cpu usuage is under 10%. But for the last couple of hours it's like
below. I am wondering what kind of traffic can be so 'powerful', and what
does pid 19 (see below) mean. Can anyone shed some light?
>
> Thanks very much,
> Weidong
>
>
> br1.rtr#sh proc cpu
> CPU utilization for five seconds: 48%/32%; one minute: 64%; five minutes:
65%
> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> ....
> 19 42728104 184864569 231 16.54% 19.07% 19.36% 0 IP Input
> ....
> 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0 BGP Scanner
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:33 GMT-3