From: Robert Rech (brech@kc.rr.com)
Date: Thu Oct 02 2003 - 23:03:50 GMT-3
A couple of things that may help,
On segments that do not have NMS servers I have used either rate-limit or
police icmp-echo traffic this cuts the amount of traffic down before it
brings down routers and wan links and such. Also turning on netflow can help
to show where the traffic is coming from.
This is a small output from an internet router which is a 3640 w 128mb ram
taking full bgp and netflow enabled . It requires CEF is enabled
UUNET-INTER-DS3#sh ip cac flo
IP packet size distribution (1144M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.007 .487 .102 .022 .061 .013 .009 .010 .006 .004 .003 .005 .002 .002
.002
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .003 .013 .025 .213 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1316 active, 2780 inactive, 189315151 added
2696189315 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
last clearing of statistics never
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1657 0.0 2 56 0.0 3.3 8.6
TCP-FTP 245170 0.0 12 88 0.7 5.0 5.7
TCP-FTPD 780547 0.1 4 803 0.8 2.4 15.2
TCP-WWW 60441527 14.0 6 702 98.1 4.3 9.3
TCP-SMTP 13719074 3.1 11 249 37.2 2.0 2.6
TCP-X 492 0.0 803 62 0.0 137.1 12.9
TCP-BGP 34 0.0 1 41 0.0 0.1 1.9
TCP-NNTP 63 0.0 1 68 0.0 0.3 9.2
TCP-Frag 3890 0.0 52 107 0.0 7.0 15.5
TCP-other 11047082 2.5 12 391 31.9 5.1 11.8
UDP-DNS 3156665 0.7 3 93 2.8 3.9 15.5
UDP-NTP 28699 0.0 1 78 0.0 0.0 15.5
UDP-TFTP 1282 0.0 3 404 0.0 8.0 15.5
UDP-Frag 1151 0.0 79 80 0.0 19.4 15.5
UDP-other 6512090 1.5 3 250 4.9 3.4 15.5
ICMP 92574049 21.5 3 61 70.2 2.1 15.6
GRE 581266 0.1 95 133 12.9 23.0 15.5
IP-other 219097 0.0 125 571 6.3 34.9 15.4
Total: 189313835 44.0 6 385 266.3 3.2 12.4
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP
DstP Pkts
Hs1/0.1 65.211.106.53 Fa0/0.100 65.212.24.50 01 0000 0303
1 <- pr type 1 is icmp, 06 is tcp, 11 is udp {in hex}
Hs1/0.1 65.211.106.53 Fa0/0.100 65.212.24.49 01 0000 0303
1
Hs1/0.1 67.234.64.3 Fa0/0.100 65.212.24.50 01 0000 0B00
78
Hs1/0.1 67.234.64.3 Fa0/0.100 65.212.24.49 01 0000 0B00
78
Hs1/0.1 65.214.50.33 Fa0/0.100 65.212.24.49 01 0000 0B00
1
Hs1/0.1 65.214.50.33 Fa0/0.100 65.212.24.50 01 0000 0B00
1
Hs1/0.1 209.73.176.194 Fa0/0.101 65.212.25.33 06 0019 0F7C
9
Hs1/0.1 67.203.0.11 Fa0/0.100 65.212.24.50 01 0000 0B00
215
Hs1/0.1 67.203.0.11 Fa0/0.100 65.212.24.49 01 0000 0B00
215
Hs1/0.1 67.201.216.13 Fa0/0.100 65.212.24.49 01 0000 0303
152
Hs1/0.1 67.201.216.13 Fa0/0.100 65.212.24.50 01 0000 0303
152
Hs1/0.1 67.209.192.26 Fa0/0.100 65.212.24.49 01 0000 0B00
215
Hs1/0.1 67.209.192.26 Fa0/0.100 65.212.24.50 01 0000 0B00
215
Hs1/0.1 65.210.170.28 Fa0/0.100 65.212.24.50 01 0000 0303
2
Hs1/0.1 216.35.11.46 Fa0/0.100 65.212.24.49 01 0000 0B00
1
Hs1/0.1 65.210.170.28 Fa0/0.100 65.212.24.49 01 0000 0303
2
Hs1/0.1 65.209.154.5 Fa0/0.100 65.212.24.50 01 0000 0301
2
----- Original Message -----
From: "McClure, Allen" <Allen.McClure@Yum.com>
To: "Gracie Pereira" <goa0201@yahoo.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 02, 2003 9:33 AM
Subject: RE: ROuter Reboot due to Virus !!
> Depends which virus you're talking about, but in general it's a memory
> issue related to the quantity of half-open connections being generated.
>
> For TCP connection issue, you might try TCP Intercept. I've recommended
> its deployment here, but we're shy on code/dram on many routers. Not
> sure if that'll help, but I'm betting it will considering how many
> half-opens I'm seeing when these things are active.
>
> For the ICMP ones, you might try blocking anything specific that you can
> isolate about the virus. If I remember correctly, Welchia utilizes
> 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> operation. Rate-limiting ICMP is also something we're considering.
>
> We're using a combo of PIX Firewalls and FW-1 running on SunOS. The Sun
> buckles quite harshly when a virus gets on even a single internal
> system.
>
> Allen G. McClure
> CCNP/CCDP/MCSE
> Yum! Brands, Inc.
> Sr. Network Analyst
> allen.mcclure@yum.com
>
>
>
>
> -----Original Message-----
> From: Gracie Pereira [mailto:goa0201@yahoo.com]
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ccielab@groupstudy.com
> Subject: ROuter Reboot due to Virus !!
>
>
> HI everybody,
>
> We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> due to recent virus attacks , the router keeps rebooting . after staying
> up
> for couple of hours , we tried blocking the virus ports ..but no help.
>
> Its now affecting couple more routers.Is there any way to stop it before
> the router gets affected and start reloading on it own.
>
> Trying a lot of possibilites . If anyone has any recommendation to this
> issue
> pls share the info..
>
> thanks
> goa0201
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> This communication is confidential and may be legally privileged. If you
are not the intended recipient, (i) please do not read or disclose to
others, (ii) please notify the sender by reply mail, and (iii) please delete
this communication from your system. Failure to follow this process may be
unlawful. Thank you for your cooperation.
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:56 GMT-3