Many people may not have a special understanding of router settings, So I studied the problem of overload and constant restart in the vro. I would like to share it with you here and hope it will be useful to you. Apply the ACL deny-virus to uplink): acl deny-virus apply interface uplink input output.
In this way, the "Shock Wave killer" can be intercepted from the outlet of the network. To prevent the spread of hosts infected with the "Shock Wave killer" between virtual networks in the school, you must apply this ACL to the interfaces of virtual networks in the school. In this case, "system show cpu-utilization" is used to check the CPU usage, and it returns to normal again. After a period of time, there is no restart.
Because the router settings cannot automatically discard attack packets from the virus, the router restarts. To completely solve the problem, you must upgrade the router's IOS to use "system show version" to view the current IOS version ). I remember that two years ago, when the "red code" virus was prevalent, there was also a phenomenon that the router was constantly restarted due to overload settings. After the upgrade of IOS, it would be normal. Then immediately contact the device vendor and obtain the latest IOS image file. At this point, all router faults are solved.
From this troubleshooting process, we can learn the following lessons: always pay attention to the development of the situation on the network, make corresponding solutions, and put them into practice. Once a new vulnerability occurs, the CCERT Security Response Team will automatically send you an email. After learning about the "Shock Wave" during the summer vacation, the "Shock Wave" virus did not flood in the network due to the timely setting of the router, but the subsequent "Shock Wave killer" did not set the corresponding ACL in time, that's why the network was paralyzed this time. In fact, in this attack of "Shock Wave" and "Shock Wave killer", many man networks are also paralyzed. These experiences warn us once and again: always pay attention to network security and respond positively in a timely manner.
Fault: ICMP Redirect
What's the problem? First, let's describe it. Although no obvious exceptions occur during vro configuration, the following logs are often displayed:
Jul 09 15:54:21% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP 209.24.79.200-> 219.157.38.52
Jul 09 15:54:21% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP 209.24.79.200-> 219.167.139.16
Jul 09 15:54:21% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP 209.24.79.200-> 61.132.1.43
Jul 09 15:54:23% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP 209.24.79.200-> 24.232.18.109
Jul 09 15:54:23% ACL_LOG-I-PERMIT, ACL [out]
On "uplink" ICMP 209.24.79.200-> 211.146.112.211
.........................
"209.24.79.200" is the uplink interface address set by the vro. I don't know why so many ICMP packets are sent from the vro settings to these irregular IP addresses. Check these IP addresses, some from provinces in China, some from Japan, and some from the United States, Argentina, and Singapore, without any regularity. Is someone attacking a router? Or is there an internal bot being attacked? What's strange is that there is only a record of outgoing packets, but no records of incoming packets?
When talking about ICMP, you must be familiar with it. The most common ping command is ICMP. The full name of ICMP is Internet Control Message Protocol (ICMP). It is an integral part of IP and is used to provide error reports. Once a variety of error types are found, they are returned to the original host, and there are also a variety of ICMP-based attack methods. Why is this log generated? Let me bring everyone up and check.
The topology of our school is a simple star structure. The center node is a layer-3 Exchange router that sets SSR8000 of Enterasys ). One port is uplinked to CERNET, and other ports are internally connected, and multiple VLANs are divided for the internal network based on ports. In order to check whether the information is sent from inside the network, logs are set for each interface of the internal VLAN, or no relevant ICMP logs are recorded, but only the data of the uplink interface is recorded ). If the internal computer sends ICMP data packets, the problem may occur on the uplink interface. log records can only record information at the protocol layer, but cannot record deeper data packets. To view the data packets of the uplink interface, you can easily use the port mirroring function to capture and analyze data packets by using computers connected to the mirror port.