From: MADMAN (dmadlan@qwest.com)
Date: Thu Oct 02 2003 - 12:19:17 GMT-3
Just got off the phone with another customer who periodically had to
reload his router to regain connectivity. Problem was all his memory
was being used and the culprit was NAT. A quick look at the NAT stats a
couple minutes after a reload shows:
ROUTER#sh ip nat stat
Total active translations: 13633 (8 static, 13625 dynamic; 13633 extended)
Outside interfaces:
Serial0
Inside interfaces:
FastEthernet0
Hits: 82227 Misses: 416709
Expired translations: 403110
Lots of translations in only a 5 minute span of a relatively small
office!!
A show ip nat trans shows that the vast majority of the translations
were orginated from two hosts and almost all the translations were ICMP.
I denied ICMPs into the FE from those two hosts as a temporary fix
while the customer figures out who they are and cleanses the offenders.
Dave
McClure, Allen wrote:
> Depends which virus you're talking about, but in general it's a memory
> issue related to the quantity of half-open connections being generated.
>
> For TCP connection issue, you might try TCP Intercept. I've recommended
> its deployment here, but we're shy on code/dram on many routers. Not
> sure if that'll help, but I'm betting it will considering how many
> half-opens I'm seeing when these things are active.
>
> For the ICMP ones, you might try blocking anything specific that you can
> isolate about the virus. If I remember correctly, Welchia utilizes
> 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> operation. Rate-limiting ICMP is also something we're considering.
>
> We're using a combo of PIX Firewalls and FW-1 running on SunOS. The Sun
> buckles quite harshly when a virus gets on even a single internal
> system.
>
> Allen G. McClure
> CCNP/CCDP/MCSE
> Yum! Brands, Inc.
> Sr. Network Analyst
> allen.mcclure@yum.com
>
>
>
>
> -----Original Message-----
> From: Gracie Pereira [mailto:goa0201@yahoo.com]
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ccielab@groupstudy.com
> Subject: ROuter Reboot due to Virus !!
>
>
> HI everybody,
>
> We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> due to recent virus attacks , the router keeps rebooting . after staying
> up
> for couple of hours , we tried blocking the virus ports ..but no help.
>
> Its now affecting couple more routers.Is there any way to stop it before
> the router gets affected and start reloading on it own.
>
> Trying a lot of possibilites . If anyone has any recommendation to this
> issue
> pls share the info..
>
> thanks
> goa0201
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367"Emotion should reflect reason not guide it"
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3