Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
1
Replies

UDP Flooding on Cisco 1810 router

rajmathur678
Level 1
Level 1

‎07-17-2013 09:53 AM - edited ‎03-10-2019 12:04 AM

We are noticing lot of UDP packets on our Cisco 1810 router. This has choked our internet circuit at 100% utilization.

We  were able to find the Source IP address from where these packet are  coming and have denied access to the Source IP through an access list.

We  are seeing that the access-list is blocking that IP , but the has not  stopped the sender from sending the packet to our router and the router  interface is still experiencing high UDP packet from this IP address.

Any advice or help will be really appreciated.

Thanks.

``````````````````````````````````````````````

rcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes

Fa1           85.17.183.81    Fa0           200.201.Xxxx.xxx  11 6634 0035   931M

````````````````````````````````````````````````````````````````````````````

There are 3 top talkers:

IPV4 PROT       bytes        pkts       flows

=========  ==========  ==========  ==========

      17   840413708    19544032         141

        1      295379        4416           7

        6      967448        1797         109

`````````````````````````````````````````````````````````````````````````````````````````````````

Extended IP access list 123

    10 deny ip host 85.17.183.81 any (3844997990 matches)

    11 deny udp host 85.17.183.81 any

    20 permit ip any any (219799308 matches)

`````````````````````````````````````````````````````````````````````````````````````````````````````

FastEthernet1 is up, line protocol is up

  Hardware is PQ3_TSEC, address is xxxx

  Internet address is 21xxxxxxxxx/xx

  MTU 1500 bytes, BW 15000 Kbit, DLY 100 usec,

     reliability 255/255, txload 21/255, rxload 228/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters 4d01h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 13465000 bits/sec, 23375 packets/sec

  5 minute output rate 1256000 bits/sec, 631 packets/sec

     4157523768 packets input, 1494788431 bytes

     Received 293 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     96471423 packets output, 3912578832 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

```````````````````````````````````````````

interface FastEthernet1

description WAN to Internet

bandwidth 15000

ip address 2XXX.XXX.XXX XXX.XXX.XXX

ip access-group 123 in

ip flow ingress

ip virtual-reassembly

speed 100

full-duplex

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎07-17-2013 09:59 AM

Hi,

Naturally you are able to block the traffic but it will still consume your WAN links bandwith.

I would suggest perhaps contacting your ISP for help with this

RIPE gives the following information related to the public source IP address you are seeing

inetnum:        85.17.183.0 - 85.17.183.255
netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "abuse@leaseweb.com" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
source:         RIPE #Filtered

There is also a contact email above. Maybe you could try that out also.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents