I have a 2mb internet link to the ISP.when i issue a show interface serial command, it shows a very high utilization on txload & rxload parameters. The txload is more tham 90% even when there is no users accessing the internet. Is it some hacker attack.
How to interpret the txload & rxload of the show interface serial command output?
As i have a 2mb link, i have configured the bandwidth 2048 on the serial interface.
When i issue the command show interface Fa0/0 it show a utilization of less then 5/255 at almost all the times.but on Serial it shows a very high utilization.
So is it worth sniffing the Fa0/0 but it seems that the LAN traffic is very minimal.
Is there any access-list config to avoid any such attack/worm.Also what do you mean by applications running without any user action involved. we have just one mapping of a global IP to our internal mail server
if you do a 'show proc cpu', can you see any process utilizing a high percentage of the CPU ? Since your LAN interface is not highly utilized, you could very well be under attack from an outside source. Depending on the IOS version you are running, you could configure NBAR, in order to find out which protocols are using the bandwidth on your serial interface:
interface Serial 1/1
ip nbar protocol-discovery
After you have configured this on your interface, use the 'show ip nbar protocol-discovery' to display the statistics of the protocol information gathered.
If you are seeing high CPU utilization, the following strategies might be worth examining as well:
Dealing with mallocfail and High CPU Utilization Resulting From the "Code Red" Worm
If we assume that the fastethernet interface is running at 100Mb, my math indicates that 5/255 busy of a 100 Mb interface is pretty close to 2 Mb. Until we know more about the environment and whether the traffic from the fastethernet is going out the serial or whether there are other interfaces that may take some of that traffic, I think that the amount of traffic on the serial can reasonably be explained without assuming some worm attack.
This is a 2620 Chasi with 32MD DRAM & 8mb flash. the IOS is 12.0(3)T3. It has only 1 Fa0/0 & S0/0. Ethernet is connected to FW & Serial to ISP. So all the Internet traffic is going from the FW to this Router fa0/0 & through S0/0 to the ISP.
A quick and dirty way to see what is going on is to turn on ip accounting on the interface, clear the ip accounting and quickly issue the show command to see where the excess traffic is sourcing from. This is RAW output so you will have to analyze closely. Do the following;
On the fa0/0, enable "ip accounting output-packets". Issue "clear ip accounting" and quickly issue "sh ip accounting". You will get the following output;
Source IP, Destination IP, Packets, Bytes.
I normally look for a popular destination IP such as an email server, web server, etc. Keep clearing ip accounting and issuing show ip accounting and look for patterns. Like I said this is a down and dirty way to do things, but I have found it works well to help pin point in the beggining of my analysis if no better tools are available on customer site.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...