07-17-2013 09:53 AM - edited 03-10-2019 12:04 AM
We are noticing lot of UDP packets on our Cisco 1810 router. This has choked our internet circuit at 100% utilization.
We were able to find the Source IP address from where these packet are coming and have denied access to the Source IP through an access list.
We are seeing that the access-list is blocking that IP , but the has not stopped the sender from sending the packet to our router and the router interface is still experiencing high UDP packet from this IP address.
Any advice or help will be really appreciated.
Thanks.
``````````````````````````````````````````````
rcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Fa1 85.17.183.81 Fa0 200.201.Xxxx.xxx 11 6634 0035 931M
````````````````````````````````````````````````````````````````````````````
There are 3 top talkers:
IPV4 PROT bytes pkts flows
========= ========== ========== ==========
17 840413708 19544032 141
1 295379 4416 7
6 967448 1797 109
`````````````````````````````````````````````````````````````````````````````````````````````````
Extended IP access list 123
10 deny ip host 85.17.183.81 any (3844997990 matches)
11 deny udp host 85.17.183.81 any
20 permit ip any any (219799308 matches)
`````````````````````````````````````````````````````````````````````````````````````````````````````
FastEthernet1 is up, line protocol is up
Hardware is PQ3_TSEC, address is xxxx
Internet address is 21xxxxxxxxx/xx
MTU 1500 bytes, BW 15000 Kbit, DLY 100 usec,
reliability 255/255, txload 21/255, rxload 228/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 4d01h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 13465000 bits/sec, 23375 packets/sec
5 minute output rate 1256000 bits/sec, 631 packets/sec
4157523768 packets input, 1494788431 bytes
Received 293 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
96471423 packets output, 3912578832 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
```````````````````````````````````````````
interface FastEthernet1
description WAN to Internet
bandwidth 15000
ip address 2XXX.XXX.XXX XXX.XXX.XXX
ip access-group 123 in
ip flow ingress
ip virtual-reassembly
speed 100
full-duplex
07-17-2013 09:59 AM
Hi,
Naturally you are able to block the traffic but it will still consume your WAN links bandwith.
I would suggest perhaps contacting your ISP for help with this
RIPE gives the following information related to the public source IP address you are seeing
inetnum: 85.17.183.0 - 85.17.183.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE #Filtered
There is also a contact email above. Maybe you could try that out also.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: