We recently had a situation where a vulnerability scanner went haywire and was trying to port scan across an entire class A subnet.
The scanning started at 10.0.0.0, and was scanning across a wide range of ports.
We have no routes in that subnet in our network, so the traffic was getting passed through the firewall to the Internet edge router.
We are getting a default route from Verizon, which is in this router's route table, which then points to the PE router that peers with my Internet edge router on a T1.
The CPU on this router would bounce up to 100% and stay there causing the serial interface to shut down.
Here is what I don't understand:
Why was this pegging the CPU and causing the interface to shut down, when I have seen data downloads, and we traffic also utilize 100% of the T1 without doing this?
The router has a default route to Verison's router, so this router was not having drop the packets, it was just passing them through as the data would be.
Unless, (as I am writing this I am thinking about it) it has to do with the Firewall is PATing the single IP address and probably just sourcing a few ports compared to the scanning of numerous addresses and dozens of ports continuously.
Did I just answer my own questions, the router could not process all of that?