RE: Comman Practice Question (RE: cpu usuage high)

From: James.Jackson@broadwing.com
Date: Wed Mar 05 2003 - 16:24:41 GMT-3

Catching up on my reading..it's probably a bit late but here goes...the
traffic should be blackholed as close to the source as possible...upstream
*may* be able to trace the attack by working backwards router by
router...using Netflow data to determine ingress interface and working with
peers if required. Ideally, the attacker's provider would've been performing
some sort of ingress filtering (uRPF, ACL etc) on their interface to prevent
the 1918 address. If tracing the source is not an option, traffic can
certainly be blackholed by the upstream, either statically on the single
router or dynamically across their network by injecting your /32 into iBGP
with a next hop of a reserved network that is statically null routed on all
their routers.

HTH,
James

-----Original Message-----
From: Evgeny Tantsura [mailto:ivgen@castel.nl]
Sent: Friday, February 28, 2003 9:19 AM
To: Ken Diliberto
Cc: ccielab@groupstudy.com; Weidong.Xiao@vi.net
Subject: RE: Comman Practice Question (RE: cpu usuage high)

In case of DDOS via more than 1 upstream you could even advertize the /32
victim's IP via IBGP and then route this IP to the Null interface.

P.S. CAR with a simple access-list will work w/o any CPU load.
P.P.S. I've never heard about upstream provider which wont stop DOS for
the customer... maybe you should look for another nice one :)

> Another technique I read on Nanog was not to block the addresses but
> route them to null0 or some other black hole. Much nicer to the CPU.
>
> Ken
>
> >>> "Casey, Paul (6822)" <Paul.Casey@o2.com> 02/28/03 02:56AM >>>
> Couldn't you use ip tcp intercept for servers network on your routers
> and ip
> verify unicast reverse-path to stop this yourself.
>
> Kind regards.
> Paul.
>
>
> -----Original Message-----
> From: Weidong Xiao [mailto:Weidong.Xiao@vi.net]
> Sent: 28 February 2003 10:08
> To: ccielab@groupstudy.com
> Subject: OT: Comman Practice Question (RE: cpu usuage high)
>
>
> Our 6509 IOS has been upgraded form 12.1(2)E to 12.1(13)E4. The cpu
> usuage
> is much better now, and I can issue "ip route TARGET-IP 255.255.255.255
> Null
> 0" or turn on strict filtering without fear. Thanks for all the
> replies.
>
> I sent a email to NANOG yesterday without success. I'd like to post it
> here,
> any reply will be appreciated.
>
> "One of our servers is being DOS attacked by a flood of 100Mb/s. Most
> of the
> traffic is with spoofed source IP, like 192.168.0.0 or others in
> Bogon
> list.
>
> I can block this kind of traffic at our border router, but the router's
> cpu
> usuage will become high.
>
> I asked our up-stream provider to stop sending traffic like that to
> us.
> Action hasn't been taken. My question is, do they have the obligation
> to do
> that if I've asked them? Is that their duty?"
>
>
> Thanks,
> Weidong
>
>
> > -----Original Message-----
> > From: Weidong Xiao
> > Sent: 25 February 2003 17:05
> > To: Chuck Church; ccielab@groupstudy.com
> > Subject: RE: cpu usuage high
> >
> >
> > Thanks Chuck, you are always helpful.
> >
> > For the purpose to off load the 6509, I issued "ip route
> > TARGET-IP 255.255.255.255 Null 0", the cpu usuage immediately
> > increased by 25%. When I took that off, the cpu usuage
> > immediatly droped. I should be able to draw the conclution
> > that something must be wrong in the IOS. Have sheuded time to
> > upgrade and I'll let you know the result.
> >
> > Cheers,
> > Weidong
> >
> >
> >
> > > -----Original Message-----
> > > From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> > > Sent: 24 February 2003 19:22
> > > To: Weidong Xiao; ccielab@groupstudy.com
> > > Subject: Re: cpu usuage high
> > >
> > >
> > > It's a long shot, but you might want to try a newer IOS. I
> > > know there were
> > > some performance problems with buffers on some of the 12.1.8
> > > or so versions.
> > > Don't know if the problem existed in 12.1.2E. Might want to
> > > try 12.1.13Ex.
> > > It'll add the luxury of NBAR as well, in case you need that
> > > down the road.
> > >
> > > Chuck Church
> > > CCIE #8776, MCNE, MCSE
> > >
> > >
> > > ----- Original Message -----
> > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Monday, February 24, 2003 9:33 AM
> > > Subject: RE: cpu usuage high
> > >
> > >
> > > > Thanks.
> > > >
> > > > "sh ip bgp flap-statistics" shows nothing. bgp connection
> > is pretty
> > > stable. I used bongon BGP template as well. The interface
> > > didn't flap. The
> > > high cpu usuage happened when income traffic suddenly
> > > increased. Logs show
> > > most of the traffic go to the target.
> > > >
> > > > br1.rtr#sh ver
> > > > Cisco Internetwork Operating System Software
> > > > IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(2)E,
> > > EARLY DEPLOYMENT
> > > RELEASE SOFTWARE (fc
> > > > 1)
> > > >
> > > > br1.rtr#sh run
> > > > ...
> > > > interface Null0
> > > > no ip unreachables
> > > > ...
> > > >
> > > > > -----Original Message-----
> > > > > From: Nawaz, Ajaz [mailto:Ajaz.Nawaz@bskyb.com]
> > > > > Sent: 24 February 2003 11:24
> > > > > To: 'Tony Huang'; Weidong Xiao; ccielab@groupstudy.com
> > > > > Subject: RE: cpu usuage high
> > > > >
> > > > >
> > > > >
> > > > > This has nothing to do with Spantree whatsover - the issues
> > > > > higlighted are related to router processes pointed out by
> > > > > Weidong Xiao below. They are IP
> > > > > Input and BGP Scanner.
> > > > >
> > > > > There is not enough information to say exactly what may be
> > > > > causing this but it could be a bug or something like BGP flap.
>
> > > > > We need to see output from
> > > > > show ver and config too for starters. If you see it again use
> > > > > show ip bgp
> > > > > flap-statistics. Does the high CPU follow an interface flap ?
> > > > >
> > > > >
> > > > > ajaz
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Tony Huang [mailto:tonyh5@hotmail.com]
> > > > > Sent: 24 February 2003 02:00
> > > > > To: Weidong Xiao; ccielab@groupstudy.com
> > > > > Subject: Re: cpu usuage high
> > > > >
> > > > >
> > > > > Hi,
> > > > > I think the frequent change of networkk status could cause the
>
> > > > > high cup usage because the switch needs to run spantree times.
>
> > > > > By issuing sh spantree
> > > > > statistics, you should be able to see which port has incured
> > > > > the change. You
> > > > > can find this by looking at the column: topology change last
> > > > > recvd. from.
> > > > > From there, you can keep tracing the source of problems.
> > > > > Hope it helps,
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Tony
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > > > To: <ccielab@groupstudy.com>
> > > > > Sent: Monday, February 24, 2003 9:34 AM
> > > > > Subject: cpu usuage high
> > > > >
> > > > >
> > > > > > Hi Group,
> > > > > >
> > > > > > A cat6509 is receiving about 30Mb/s traffic from the
> > > > > Internet. Normally
> > > > > the cpu usuage is under 10%. But for the last couple of hours
> > > > > it's like below. I am wondering what kind of traffic can be so
> > > > > 'powerful', and what
> > > > > does pid 19 (see below) mean. Can anyone shed some light?
> > > > > >
> > > > > > Thanks very much,
> > > > > > Weidong
> > > > > >
> > > > > >
> > > > > > br1.rtr#sh proc cpu
> > > > > > CPU utilization for five seconds: 48%/32%; one minute: 64%;
> > > > > five minutes:
> > > > > 65%
> > > > > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min
> > > TTY Process
> > > > > > ....
> > > > > > 19 42728104 184864569 231 16.54% 19.07% 19.36%
> > > 0 IP Input
> > > > > > ....
> > > > > > 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0
> > > > > BGP Scanner
> > > > >
> > > > >
> > > > > .
> > > > >
> > > > >
> > > > >
> > >
> >
> **********************************************************************
> > > > > Information in this email is confidential and may be
> privileged.
> > > > > It is intended for the addressee only. If you have received it
>
> > > > > in error, please notify the sender immediately and delete it
> > > > > from
> > > your system.
> > > > > You should not otherwise copy it, retransmit it or use or
> > > disclose its
> > > > > contents to anyone.
> > > > > Thank you for your co-operation.
> > > > >
> > >
> >
> **********************************************************************
>
>
>
****************************************************************************
************
>
> This E-mail is from O2. The E-mail and any files
> transmitted with it are confidential and may also be privileged and
> intended
> solely for the use of the individual or entity to whom they are
> addressed.
> Any unauthorised direct or indirect dissemination, distribution or
> copying
> of this message and any attachments is strictly prohibited. If you
> have
> received the E-mail in error please notify postmaster@O2.com or
> telephone ++ 353 1 6095000.
>
>
****************************************************************************
*************
>

With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
 +++The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and destroy any copies of this
document.+++

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:33 GMT-3