Re: cpu usuage high

From: Chuck Church (ccie8776@rochester.rr.com)
Date: Mon Feb 24 2003 - 13:14:26 GMT-3

• Next message: Suy, Syson: "Any way to find out the outside IP address of our linksys"
• Previous message: Cheng Qian: "Re: Frame Relay"
• Maybe in reply to: Weidong Xiao: "cpu usuage high"
• Next in thread: Chuck Church: "Re: cpu usuage high"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Since the Internet doesn't really support multicast, I'd block it all at the
ACL versus rate-limiting it. If the target of the DDOS is just one host,
can you change the IP address of that host?

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Weidong Xiao" <Weidong.Xiao@vi.net>
To: <ccielab@groupstudy.com>
Sent: Monday, February 24, 2003 9:17 AM
Subject: RE: cpu usuage high

> Thanks guys,
>
> We are under a DDOS attack. The forged packets not only use source IP from
bogon list, but also some real IPs. That's why I put ACL 180 there. ACL 2010
can be found at Bogon list:
> http://www.cymru.com/Documents/secure-ios-template.html
>
> All the vlans enabled ip route-cache or ip route-cache flow.
> A more strange thing is that if I "ip route TARGET-IP 255.255.255.255 Null
0", the cpu usuage is even more higher.
>
> Any ideas?
>
> Thanks,
> Weidong
>
> -----------------------------------
> interface Vlan11
> description INTERNET FEED 1
> ip address XXXX 255.255.255.252
> ip access-group 2010 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> rate-limit input access-group 150 2008000 250000 250000 conform-action
transmit exceed-action
> drop
> rate-limit input access-group 160 496000 62500 62500 conform-action
transmit exceed-action dro
> p
> rate-limit input access-group 170 5000000 375000 375000 conform-action
transmit exceed-action
> drop
> rate-limit input access-group 180 2496000 375000 375000 conform-action
transmit exceed-action
> drop <---- RATE LIMIT TRAFFIC TO THE TARGET
> ip route-cache flow
> !
> access-list 150 remark CAR-UDP ACL
> access-list 150 permit udp any any
> access-list 160 remark CAR-ICMP ACL
> access-list 160 permit icmp any any
> access-list 170 remark CAR-Multicast ACL
> access-list 170 permit ip any 224.0.0.0 15.255.255.255
> access-list 180 permit ip any host 212.X.X.228 <---TARGET OF DDOS
>
> br1.bb.rtr#sh ip int vlan 11
> ...
> IP fast switching is enabled
> IP fast switching on the same interface is disabled
> IP Flow switching is enabled
> IP CEF switching is enabled
> IP Flow switching turbo vector
> IP Flow CEF switching turbo vector
> IP multicast fast switching is enabled
> IP multicast distributed fast switching is disabled
> IP route-cache flags are Fast, Flow, CEF
> ...
>
> br1.bb.rtr>sh proc cpu
> CPU utilization for five seconds: 78%/65%; one minute: 82%; five minutes:
76%
> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> ...
> 19 1522784 1628657 934 9.22% 7.59% 6.93% 0 IP Input
> ...
> 67 1190176 2757 431692 6.14% 2.06% 2.20% 0 BGP Scanner
> 69 276 1360 202 0.00% 0.00% 0.00% 0 TACACS+
>
>
>
>
>
> > -----Original Message-----
> > From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> > Sent: 24 February 2003 00:45
> > To: Weidong Xiao; ccielab@groupstudy.com
> > Subject: Re: cpu usuage high
> >
> >
> > It's IP traffic going through the router. But there can be
> > many reasons why
> > the utilization is high. Some of those are:
> >
> > Access lists
> > NAT
> > a DOS occurring
> > a poor configuration - disabled route-cache, etc
> > Older IOS version which doesn't support fast switching of
> > certain traffic
> > types.
> >
> > Here's a pretty good doc on it:
> > http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/product
> s_tech_note091
> 86a00800a70f2.shtml
>
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> To: <ccielab@groupstudy.com>
> Sent: Sunday, February 23, 2003 5:34 PM
> Subject: cpu usuage high
>
>
> > Hi Group,
> >
> > A cat6509 is receiving about 30Mb/s traffic from the Internet. Normally
> the cpu usuage is under 10%. But for the last couple of hours it's like
> below. I am wondering what kind of traffic can be so 'powerful', and what
> does pid 19 (see below) mean. Can anyone shed some light?
> >
> > Thanks very much,
> > Weidong
> >
> >
> > br1.rtr#sh proc cpu
> > CPU utilization for five seconds: 48%/32%; one minute: 64%; five
minutes:
> 65%
> > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> > ....
> > 19 42728104 184864569 231 16.54% 19.07% 19.36% 0 IP Input
> > ....
> > 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0 BGP Scanner

• Next message: Suy, Syson: "Any way to find out the outside IP address of our linksys"
• Previous message: Cheng Qian: "Re: Frame Relay"
• Maybe in reply to: Weidong Xiao: "cpu usuage high"
• Next in thread: Chuck Church: "Re: cpu usuage high"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:33 GMT-3