Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

High utilization of the Internet Link

I have a 2mb internet link to the ISP.when i issue a show interface serial command, it shows a very high utilization on txload & rxload parameters. The txload is more tham 90% even when there is no users accessing the internet. Is it some hacker attack.

How to interpret the txload & rxload of the show interface serial command output?

Thanks in advance.

7 REPLIES

Re: High utilization of the Internet Link

Hi,

the meaning is:

txload

Transmit load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over 5 minutes.

rxload

Receive load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over 5 minutes.

Thus you have either a worm or some applications running without user action involved (like an email server or Web or FTP server and such).

To further investigate the problem I would check, what traffic is sent to the router. you could use a Hub and a network analyzer (like ethereal) to monitor the LAN interface of the router.

Regards, Martin

Re: High utilization of the Internet Link

Hi

Though martin has already commented about the exponential calculation i would suggest to check the bandwidth parameter set under the interface which also used for arriving the tx/rx load fraction.

By default the serial interfaces comes with 1544Kbps though u connect a E1 onto that.

Do check the same and define the bandwidth to 2048Kbps and check for the loading capacity.

If its already done do follow the suggestions made by martin.

regds

New Member

Re: High utilization of the Internet Link

Hello Martin,

Thanks for your valuable input.

As i have a 2mb link, i have configured the bandwidth 2048 on the serial interface.

When i issue the command show interface Fa0/0 it show a utilization of less then 5/255 at almost all the times.but on Serial it shows a very high utilization.

So is it worth sniffing the Fa0/0 but it seems that the LAN traffic is very minimal.

Is there any access-list config to avoid any such attack/worm.Also what do you mean by applications running without any user action involved. we have just one mapping of a global IP to our internal mail server

Re: High utilization of the Internet Link

Hello,

if you do a 'show proc cpu', can you see any process utilizing a high percentage of the CPU ? Since your LAN interface is not highly utilized, you could very well be under attack from an outside source. Depending on the IOS version you are running, you could configure NBAR, in order to find out which protocols are using the bandwidth on your serial interface:

interface Serial 1/1

ip nbar protocol-discovery

After you have configured this on your interface, use the 'show ip nbar protocol-discovery' to display the statistics of the protocol information gathered.

If you are seeing high CPU utilization, the following strategies might be worth examining as well:

Dealing with mallocfail and High CPU Utilization Resulting From the "Code Red" Worm

http://www.cisco.com/en/US/products/hw/iad/ps397/products_tech_note09186a00800a73e9.shtml

How to Protect Your Network Against the Nimda Virus

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080110d17.shtml

HTH,

GNT

Hall of Fame Super Silver

Re: High utilization of the Internet Link

If we assume that the fastethernet interface is running at 100Mb, my math indicates that 5/255 busy of a 100 Mb interface is pretty close to 2 Mb. Until we know more about the environment and whether the traffic from the fastethernet is going out the serial or whether there are other interfaces that may take some of that traffic, I think that the amount of traffic on the serial can reasonably be explained without assuming some worm attack.

HTH

Rick

New Member

Re: High utilization of the Internet Link

This is a 2620 Chasi with 32MD DRAM & 8mb flash. the IOS is 12.0(3)T3. It has only 1 Fa0/0 & S0/0. Ethernet is connected to FW & Serial to ISP. So all the Internet traffic is going from the FW to this Router fa0/0 & through S0/0 to the ISP.

Pl. comment further.

Thanks

Jevin

New Member

Re: High utilization of the Internet Link

A quick and dirty way to see what is going on is to turn on ip accounting on the interface, clear the ip accounting and quickly issue the show command to see where the excess traffic is sourcing from. This is RAW output so you will have to analyze closely. Do the following;

On the fa0/0, enable "ip accounting output-packets". Issue "clear ip accounting" and quickly issue "sh ip accounting". You will get the following output;

Source IP, Destination IP, Packets, Bytes.

I normally look for a popular destination IP such as an email server, web server, etc. Keep clearing ip accounting and issuing show ip accounting and look for patterns. Like I said this is a down and dirty way to do things, but I have found it works well to help pin point in the beggining of my analysis if no better tools are available on customer site.

536
Views
0
Helpful
7
Replies
CreatePlease to create content