06-09-2003 07:36 AM - edited 03-02-2019 07:59 AM
Hi All,
I have a setup of nearly 25 and odd 3640 routers and some 7206 routers. on 3640 router i have two ethernet interfaces. user's LAN is connected to only one interface and other one is redundant.
Problem is that when the user LAN is connected to interface CPU utilisation is more than 90% and there are lot of collisions in LAN. when i disconnect the LAN from router, it is ok.
I suspect propagation of some virus such as Nimda and Bug bear. is it Correct? if not can any of u educate me the solution for this
WBR
Manoj Reddy
06-09-2003 07:44 AM
When you turn on the FE segment enable ip accounting , this will give source & dest pairs , look for 1 packet being sent to multiple locations usually in succession that are the same byte size , usually small like 76 bytes
06-10-2003 01:23 AM
It definitely looks like the router is being killed by traffic, maybe an attack as you suspect.
Try to identify the packets using a sniffer or IP accounting though be careful with accounting not to kill the router as the CPU is quite high already.
06-10-2003 05:34 AM
yes some sort virus is propagating thru the network.
when checked the ip cache fo router with "sh ip cache", i found lot of invalid entries such as 10.37.112.1,10.37.112.2,10.37.112.3.....
the list goes on like that. but that 10.37.112.0 network not at all exists any where in our network.
seems like it is nimda virus .
any suggestions to restrict that at router level.
thank you
Manoj
06-10-2003 08:11 AM
hi manoj
if u r sure thats due to Nimda virus then find out the extension of files thru which its affecting and creating unecessary traffic..
then u can create a class map ,policy map in which u can block the files with the extension used by Nimda.
bind the same map on u r FE.
I havent tried this yet but hope this may help u ..
Class-map match-any virus-files
match protocol http url "*xxxx.ext*"
policy-map mark-virus
class virus-files
set ip dscp 1
interface fastethernet 0
service-policy input mark-virus
but now a days we r seeing n number of viruses daily for which we cant block all of them...
regds
prem
06-11-2003 06:04 AM
i have even done that.
but the CPU uitilization is still high. its coming to normal position when i disconnect the particular hosts, broadcosting virus from the LAN.
able to find out the culprit systems in LAN using a packet sniffer.
thank u for ur reply prem
Manoj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide