From: Jim Newton (jnewton@internetnoc.com)
Date: Thu Oct 02 2003 - 12:43:05 GMT-3
Also look to see if you are using a tom of memory on "IP input". This
usually indicates a lot of process switched packets. In the last couple
weeks I have seen this caused by viruses generating tons of packets that
either had to be NATed, or just by generating tons of random packets. Since
the first packet in to a new address requires a lookup, this was killing the
router.
The way that I solved it in all cases was inbound access lists blocking the
ports that Cisco recommends for the viruses and dumping 92 byte ICMP
packets. If they need a port like TCP 135 internally and can't do without
it, create an access list allowing it only from legitimate internal address
to legitimate internal addresses and block the rest.
If you are not sure where the infected traffic is originating from, you can
try an access list first allowing the port numbers and this will let you
know which interface you are receiving them on. If you need to identify the
actual IP of the offending host, redirect you logging to a syslog server and
put the "log" keyword at the end of the acl statements. This will give you
the IP. Then once you identify them, block them until you can clean them up.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
MADMAN
Sent: Thursday, October 02, 2003 10:19 AM
To: McClure, Allen
Cc: Gracie Pereira; ccielab@groupstudy.com
Subject: Re: ROuter Reboot due to Virus !!
Just got off the phone with another customer who periodically had to
reload his router to regain connectivity. Problem was all his memory
was being used and the culprit was NAT. A quick look at the NAT stats a
couple minutes after a reload shows:
ROUTER#sh ip nat stat
Total active translations: 13633 (8 static, 13625 dynamic; 13633 extended)
Outside interfaces:
Serial0
Inside interfaces:
FastEthernet0
Hits: 82227 Misses: 416709
Expired translations: 403110
Lots of translations in only a 5 minute span of a relatively small
office!!
A show ip nat trans shows that the vast majority of the translations
were orginated from two hosts and almost all the translations were ICMP.
I denied ICMPs into the FE from those two hosts as a temporary fix
while the customer figures out who they are and cleanses the offenders.
Dave
McClure, Allen wrote:
> Depends which virus you're talking about, but in general it's a memory
> issue related to the quantity of half-open connections being generated.
>
> For TCP connection issue, you might try TCP Intercept. I've recommended
> its deployment here, but we're shy on code/dram on many routers. Not
> sure if that'll help, but I'm betting it will considering how many
> half-opens I'm seeing when these things are active.
>
> For the ICMP ones, you might try blocking anything specific that you can
> isolate about the virus. If I remember correctly, Welchia utilizes
> 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> operation. Rate-limiting ICMP is also something we're considering.
>
> We're using a combo of PIX Firewalls and FW-1 running on SunOS. The Sun
> buckles quite harshly when a virus gets on even a single internal
> system.
>
> Allen G. McClure
> CCNP/CCDP/MCSE
> Yum! Brands, Inc.
> Sr. Network Analyst
> allen.mcclure@yum.com
>
>
>
>
> -----Original Message-----
> From: Gracie Pereira [mailto:goa0201@yahoo.com]
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ccielab@groupstudy.com
> Subject: ROuter Reboot due to Virus !!
>
>
> HI everybody,
>
> We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> due to recent virus attacks , the router keeps rebooting . after staying
> up
> for couple of hours , we tried blocking the virus ports ..but no help.
>
> Its now affecting couple more routers.Is there any way to stop it before
> the router gets affected and start reloading on it own.
>
> Trying a lot of possibilites . If anyone has any recommendation to this
> issue
> pls share the info..
>
> thanks
> goa0201
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> This communication is confidential and may be legally privileged. If you
are not the intended recipient, (i) please do not read or disclose to
others, (ii) please notify the sender by reply mail, and (iii) please delete
this communication from your system. Failure to follow this process may be
unlawful. Thank you for your cooperation.
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367"Emotion should reflect reason not guide it"
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3