Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
0
Helpful
3
Replies

3550 high CPU usage randomly, ssh attack?

bleomycin
Level 1
Level 1

‎07-27-2010 02:03 PM - edited ‎03-04-2019 09:13 AM

Hello everyone,

I have searched the forums but come up empty so far. I have a 3550 colocated with 5 machines currently connected, pushing only about 20mbit 95%. I have an etherchannel connection on the gbit uplinks to the data centers 3560. While i havent really been noticing any strange behavior on the connected machines yet looking at the snmp cpu graphs is a bit disturbing when i see cpu usage hitting 70% while traffic is less than 1mbit at the time. Any help is greatly appreciated this is my first cisco device and im unsure if the switch is being attacked or there is some other missconfiguration?

running config: http://pastebin.com/wm5i82rb

show processes cpu history: http://pastebin.com/4B23HdEP

sh proc cpu | exclude 0.0: http://pastebin.com/4k3wPSBk

Just as i was running that ssh process jumped up, im not sure if it's because im connected via ssh or not, however subsequent runs it dropped down to less than 1%

Assuming there is nothing glaringly wrong with my switch configuration is it safe to assume ssh is being attacked and causing the load? Would creating an acl to only allow the connected machines to connect via ssh solve that problem? Thank you again for any help and please excuse my ignorance this is my first cisco device.

Labels:
0 Helpful
3 Replies 3

ropakalns
Level 1
Level 1

‎07-28-2010 05:14 AM

Hi!

Do you have a public IP on your 3550 (most probably not, but just in case...)? If I connect a router to a publc IP, I get immediately a lot of SSH dictionary attacks, however, it's not burning the processor.

Actually, could be a lot of stuff - here's what comes into my mind:

You can use bpdu guard in conjunction with the portfast feature, because it helps to prevent loops (if it will see a loop (bpdu packet), it will shut down the port and you will get the guilty person:))

What do you see in show mac address-table?

Roberts

0 Helpful

bleomycin
Level 1
Level 1
In response to ropakalns

‎07-28-2010 04:57 PM

ropakalns,

Thank you for the reply, yes the switch does have public facing IP's it is colocated in a data center so the first IP of every vlan is reachable. I'm sorry for my ignorance as i've never heard of bpdu but if it shuts down ports as you say would this disrupt service? Also the only mac addresses i see are of my connected machines and the switch on the other end of the uplinks.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-28-2010 07:28 PM

Hello,

Generally when you connect to the switch via SSH, the CPU utilization will rise depending upon the type of activity you are performing on the switch. If you are executing any commands like "show tech" or "show run" that require the switch to push quite a bit of data to the ssh console, then the CPU util might increase to some extent. It is a better idea to block SSH access to external (internet) devices as it will protect your switch from any attacks.

Hope this helps.

Regards,

NT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card