×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

UDP Flooding on Cisco 1810 router

Unanswered Question
Jul 17th, 2013
User Badges:

We are noticing lot of UDP packets on our Cisco 1810 router. This has choked our internet circuit at 100% utilization.


We  were able to find the Source IP address from where these packet are  coming and have denied access to the Source IP through an access list.

We  are seeing that the access-list is blocking that IP , but the has not  stopped the sender from sending the packet to our router and the router  interface is still experiencing high UDP packet from this IP address.


Any advice or help will be really appreciated.


Thanks.


``````````````````````````````````````````````

rcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Fa1           85.17.183.81    Fa0           200.201.Xxxx.xxx  11 6634 0035   931M


````````````````````````````````````````````````````````````````````````````


There are 3 top talkers:


IPV4 PROT       bytes        pkts       flows

=========  ==========  ==========  ==========

      17   840413708    19544032         141

        1      295379        4416           7

        6      967448        1797         109


`````````````````````````````````````````````````````````````````````````````````````````````````


Extended IP access list 123

    10 deny ip host 85.17.183.81 any (3844997990 matches)

    11 deny udp host 85.17.183.81 any

    20 permit ip any any (219799308 matches)



`````````````````````````````````````````````````````````````````````````````````````````````````````

FastEthernet1 is up, line protocol is up

  Hardware is PQ3_TSEC, address is xxxx

  Internet address is 21xxxxxxxxx/xx

  MTU 1500 bytes, BW 15000 Kbit, DLY 100 usec,

     reliability 255/255, txload 21/255, rxload 228/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters 4d01h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 13465000 bits/sec, 23375 packets/sec

  5 minute output rate 1256000 bits/sec, 631 packets/sec

     4157523768 packets input, 1494788431 bytes

     Received 293 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     96471423 packets output, 3912578832 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out


```````````````````````````````````````````


interface FastEthernet1

description WAN to Internet

bandwidth 15000

ip address 2XXX.XXX.XXX XXX.XXX.XXX

ip access-group 123 in

ip flow ingress

ip virtual-reassembly

speed 100

full-duplex

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 07/17/2013 - 09:59
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Naturally you are able to block the traffic but it will still consume your WAN links bandwith.


I would suggest perhaps contacting your ISP for help with this


RIPE gives the following information related to the public source IP address you are seeing


inetnum:        85.17.183.0 - 85.17.183.255
netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "[email protected]" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
source:         RIPE #Filtered


There is also a contact email above. Maybe you could try that out also.


- Jouni

Actions

This Discussion