Analysis of router configuration problems caused by excessive load

There are still many things worth learning about vro settings. Here we mainly introduce problems caused by excessive load. I will connect my laptop to one of the ports of the vswitch and then ping the gateway. The same fault occurs, and the network is disconnected once every four minutes to 10 minutes, and the network returns to normal after 40 to 50 seconds.

After observation, no abnormal port indicator is found, indicating that all ports of the switch are normal. Is it true that the internal system of the switch is faulty? Forget it. Simply restart the switch. After the restart, the fault persists. Maybe there is a problem with the switch. I was wondering if I had to switch the stack module to another switch, and my cell phone rang, another colleague told me that his machine also experienced the same fault. The host of this colleague is in another virtual network, and there is a temporary disconnection at the same time, it is very likely that the router connecting the two virtual networks has a problem.

This issue is concentrated on vro settings. I hurried back to the network center, and there was no exception from the outside indicator of the router. Ping the router address on my network management machine. My network management machine is directly connected to the router's MB module. I continued to observe for a period of time and found that every 4 minutes to 10 minutes, the indicators of all modules of the router will go off at the same time, and then the "HBT" lights on the control module will flash, then the "OK" light is on, and the lights of all modules are Online. I will explain that the flashing "HBT" LIGHT INDICATES THAT THE vro is starting, that is, it is automatically restarting, and the network disconnection time of about 40 seconds is exactly the time required for the vro to restart. Now the problem search is over. It must have been a router fault. Further detection is required for specific issues. When the router is working normally, connect the comport of the notebook with the dedicated CONSOLE line of the router to establish a Super Terminal. In management mode, run the "systemshowbootlog" command to view the startup records of the system. It is found that the loading of each module is normal. The cause of the restart in the vro settings is that the CPU usage reaches 100%. Run the "systemshowcpu-utilization" command to view the CPU usage:

SSR # systemshowcpu-utilization
CPUUtilization (5 seconds): 50%
(60 seconds): 60% the former refers to the average CPU usage of 50% in 5 seconds,
The latter indicates that the average CPU usage within 60 seconds is 60%)

Sure enough, after using this command continuously, we know that the CPU usage is gradually increasing. When it reaches 95%, the vro is set to automatically restart. It seems that the router load is too large, because normally, the CPU usage is only about 1%-6%. The CPU usage is slightly higher during peak network usage. But what makes a router overloaded? Fortunately, I used to set a log record for the router and send the log to a log server. However, opening the logs recorded on this server does not find any useful clues. Because the router cannot send logs to the log server when the configured load is too large, I can only use the "systemshowsyslogbuffer" command to view the log records in the current system cache:

SSR # systemshowsyslogbuffer
2003-09-1009:28:32% ACL_LOG-I-DENY, ACL [out]
On "uplink" ICMP210.16.3.82-> 210.55.37.72
2003-09-1009:28:32% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP210.16.3.82-> 61.136.65.13
2003-09-1009:28:32% ACL_LOG-I-DENY, ACL [out]
On "uplink" ICMP210.16.3.82-> 202.227.100.65
2003-09-1009:28:32% ACL_LOG-I-DENY, ACL [out]
On "uplink" ICMP210.16.3.82-> 193.210.224.202
2003-09-1009:28:32% ACL_LOG-I-DENY, ACL [out]
On "uplink" ICMP210.16.3.82-> 218.32.21.101
..................

Obviously, "210.16.3.82" is using the ICMP protocol to launch attacks on other hosts. Based on this, the host is either poisoned or exploited by hackers. In view of the current situation analysis, there may be a host with the "Shock Wave killer" virus in the network. The virus uses an ICMP packet of the echo type to ping the IP address segment obtained according to its own algorithm, to detect the active hosts in these IP address segments, and send a large number of loads to "aa ", the network is congested by filling in 92-byte icmp packets. Once the virus detects a surviving host, it tries to use the rpc vulnerability on port 135 and the webdav vulnerability on port 80 to launch an overflow attack. After the overflow succeeds, the system listens to the 69TFTP professional port for file download.) A random port in the range of port and 666-765 is usually port 707.

According to the virus transmission mechanism, immediately set the access control list ACL on the router) to block UDP protocol port 69 for file download), TCP port 135 Microsoft DCOMRPC port) and ICMP protocol used to discover active hosts ). The specific ACL Configuration is as follows:

! --- BlockICMP
Acldeny-virusdenyicmpanyany
! --- BlockTFTP
Acldeny-virusdenyudpanyanyany69
! --- BlockW32.Blasterrelatedprotocols
Acldeny-virusdenytcpanyanyany135
Acldeny-viruspermittcpanyanyanyany
Acldeny-viruspermitudpanyanyanyany