From: Colin Barber (Colin.Barber@telewest.co.uk)
Date: Fri Feb 28 2003 - 11:09:38 GMT-3
The DOS still works if you block it yourself. The traffic has already
saturated your Internet bandwidth by reaching you.
It would depend on your contract with your ISP if they have to help or not.
If they don't then move to another provider. They should help as the traffic
is wasting bandwidth within their network.
Colin
-----Original Message-----
From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
Sent: 28 February 2003 10:56
To: 'Weidong Xiao'; ccielab@groupstudy.com
Subject: RE: Comman Practice Question (RE: cpu usuage high)
Couldn't you use ip tcp intercept for servers network on your routers and ip
verify unicast reverse-path to stop this yourself.
Kind regards.
Paul.
-----Original Message-----
From: Weidong Xiao [mailto:Weidong.Xiao@vi.net]
Sent: 28 February 2003 10:08
To: ccielab@groupstudy.com
Subject: OT: Comman Practice Question (RE: cpu usuage high)
Our 6509 IOS has been upgraded form 12.1(2)E to 12.1(13)E4. The cpu usuage
is much better now, and I can issue "ip route TARGET-IP 255.255.255.255 Null
0" or turn on strict filtering without fear. Thanks for all the replies.
I sent a email to NANOG yesterday without success. I'd like to post it here,
any reply will be appreciated.
"One of our servers is being DOS attacked by a flood of 100Mb/s. Most of the
traffic is with spoofed source IP, like 192.168.0.0 or others in Bogon
list.
I can block this kind of traffic at our border router, but the router's cpu
usuage will become high.
I asked our up-stream provider to stop sending traffic like that to us.
Action hasn't been taken. My question is, do they have the obligation to do
that if I've asked them? Is that their duty?"
Thanks,
Weidong
> -----Original Message-----
> From: Weidong Xiao
> Sent: 25 February 2003 17:05
> To: Chuck Church; ccielab@groupstudy.com
> Subject: RE: cpu usuage high
>
>
> Thanks Chuck, you are always helpful.
>
> For the purpose to off load the 6509, I issued "ip route
> TARGET-IP 255.255.255.255 Null 0", the cpu usuage immediately
> increased by 25%. When I took that off, the cpu usuage
> immediatly droped. I should be able to draw the conclution
> that something must be wrong in the IOS. Have sheuded time to
> upgrade and I'll let you know the result.
>
> Cheers,
> Weidong
>
>
>
> > -----Original Message-----
> > From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> > Sent: 24 February 2003 19:22
> > To: Weidong Xiao; ccielab@groupstudy.com
> > Subject: Re: cpu usuage high
> >
> >
> > It's a long shot, but you might want to try a newer IOS. I
> > know there were
> > some performance problems with buffers on some of the 12.1.8
> > or so versions.
> > Don't know if the problem existed in 12.1.2E. Might want to
> > try 12.1.13Ex.
> > It'll add the luxury of NBAR as well, in case you need that
> > down the road.
> >
> > Chuck Church
> > CCIE #8776, MCNE, MCSE
> >
> >
> > ----- Original Message -----
> > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Monday, February 24, 2003 9:33 AM
> > Subject: RE: cpu usuage high
> >
> >
> > > Thanks.
> > >
> > > "sh ip bgp flap-statistics" shows nothing. bgp connection
> is pretty
> > stable. I used bongon BGP template as well. The interface
> > didn't flap. The
> > high cpu usuage happened when income traffic suddenly
> > increased. Logs show
> > most of the traffic go to the target.
> > >
> > > br1.rtr#sh ver
> > > Cisco Internetwork Operating System Software
> > > IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(2)E,
> > EARLY DEPLOYMENT
> > RELEASE SOFTWARE (fc
> > > 1)
> > >
> > > br1.rtr#sh run
> > > ...
> > > interface Null0
> > > no ip unreachables
> > > ...
> > >
> > > > -----Original Message-----
> > > > From: Nawaz, Ajaz [mailto:Ajaz.Nawaz@bskyb.com]
> > > > Sent: 24 February 2003 11:24
> > > > To: 'Tony Huang'; Weidong Xiao; ccielab@groupstudy.com
> > > > Subject: RE: cpu usuage high
> > > >
> > > >
> > > >
> > > > This has nothing to do with Spantree whatsover - the issues
> > > > higlighted are related to router processes pointed out by
> > > > Weidong Xiao below. They are IP
> > > > Input and BGP Scanner.
> > > >
> > > > There is not enough information to say exactly what may be
> > > > causing this but it could be a bug or something like BGP flap.
> > > > We need to see output from
> > > > show ver and config too for starters. If you see it again use
> > > > show ip bgp
> > > > flap-statistics. Does the high CPU follow an interface flap ?
> > > >
> > > >
> > > > ajaz
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Tony Huang [mailto:tonyh5@hotmail.com]
> > > > Sent: 24 February 2003 02:00
> > > > To: Weidong Xiao; ccielab@groupstudy.com
> > > > Subject: Re: cpu usuage high
> > > >
> > > >
> > > > Hi,
> > > > I think the frequent change of networkk status could cause the
> > > > high cup usage because the switch needs to run spantree times.
> > > > By issuing sh spantree
> > > > statistics, you should be able to see which port has incured
> > > > the change. You
> > > > can find this by looking at the column: topology change last
> > > > recvd. from.
> > > > From there, you can keep tracing the source of problems.
> > > > Hope it helps,
> > > >
> > > > Cheers,
> > > >
> > > > Tony
> > > >
> > > > ----- Original Message -----
> > > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > > To: <ccielab@groupstudy.com>
> > > > Sent: Monday, February 24, 2003 9:34 AM
> > > > Subject: cpu usuage high
> > > >
> > > >
> > > > > Hi Group,
> > > > >
> > > > > A cat6509 is receiving about 30Mb/s traffic from the
> > > > Internet. Normally
> > > > the cpu usuage is under 10%. But for the last couple of hours
> > > > it's like below. I am wondering what kind of traffic can be so
> > > > 'powerful', and what
> > > > does pid 19 (see below) mean. Can anyone shed some light?
> > > > >
> > > > > Thanks very much,
> > > > > Weidong
> > > > >
> > > > >
> > > > > br1.rtr#sh proc cpu
> > > > > CPU utilization for five seconds: 48%/32%; one minute: 64%;
> > > > five minutes:
> > > > 65%
> > > > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min
> > TTY Process
> > > > > ....
> > > > > 19 42728104 184864569 231 16.54% 19.07% 19.36%
> > 0 IP Input
> > > > > ....
> > > > > 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0
> > > > BGP Scanner
> > > >
> > > >
> > > > .
> > > >
> > > >
> > > >
> >
> **********************************************************************
> > > > Information in this email is confidential and may be privileged.
> > > > It is intended for the addressee only. If you have received it
> > > > in error, please notify the sender immediately and delete it
> > > > from
> > your system.
> > > > You should not otherwise copy it, retransmit it or use or
> > disclose its
> > > > contents to anyone.
> > > > Thank you for your co-operation.
> > > >
> >
> **********************************************************************
****************************************************************************
************
This E-mail is from O2. The E-mail and any files
transmitted with it are confidential and may also be privileged and intended
solely for the use of the individual or entity to whom they are addressed.
Any unauthorised direct or indirect dissemination, distribution or copying
of this message and any attachments is strictly prohibited. If you have
received the E-mail in error please notify postmaster@O2.com or
telephone ++ 353 1 6095000.
****************************************************************************
*************
------------------------------------------------------------------------------
Live Life in Broadband
www.telewest.co.uk
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.
Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer.
==============================================================================
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3