Security Incidents mailing list archives
RE: cisco 7200 performance issue
From: Luciano Z <user_luciano () yahoo com br>
Date: Fri, 23 May 2003 16:42:14 -0300 (ART)
I forgot the version information :-) It´s a 12.2(12b) box. Another interesting information is that the router does not use SSH, it is connected to a console server. This is configuration is not a regular policy, I still have boxes that use telnet :-( Follow-up on this incident: We report the problem to cisco and the recommendation that we got is 'apply an access-list'. Well, this is a problem to implement. The message we received on the router syslog affected the CPU too (it´s like doing a "debug all" on the console). With the access-list this could be solved. The only question I have is why does RSHELL messages need to be logged while connections to others tcp ports doesn´t? It would be interesting to have a feature to disable logging on service ports that are not in use (suggestion to the cisco guys here? :-) Some of the replys I got recommended this to but let´s analyze the problem of implementing access-lists on this box. This is a access layer box so we have about 80 active customers connected to this router. If we apply an access-list to protect the router by droping all packets destinated to the router´s interface (and it´s loopbacks) we will end up with an access-list with at least 80 lines (imagine the problem to manage this while activating/deactivating customers). So this is not a solution, at least at this network layer. One thing we did here after the incident is a review of the "schedule allocate" configuration. We first used the values on that classic paper about router securiy wrote by cisco but now we change it a bit and will test this to evalute this new value. Well, thanks for all the replys I got. If we have some new information I´ll post here. [] luciano --- Paul Benedek <paul.benedek () excis co uk> escreveu:
Hi Luciano, What is the IOS version that you are running? This could be a bug. It would be worth looking at the field notices on CCO to determine if this is IOS related. Regards Paul Benedek -----Original Message----- From: Luciano Z [mailto:user_luciano () yahoo com br] Sent: 21 May 2003 20:45 To: incidents () securityfocus com Subject: cisco 7200 performance issue Hi! I was responding an incident last night and saw a strange performance problem with a cisco 7200. When I issued a "sh interface" on the two fast ethernets of my box it was show that I got only 6Mbps traffic and normal packet per second rate but when I "sh logg" the box I got a lot of "%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from x.y.z.w" messages with spoofed sources. Investigating a little more I discovered that this traffic was pushing the CPU to 98% to 100% of utilization. Back to the output of "sh logg" I saw that the box was logging 2 to 3 RSHELL messages per second. In my opinion this coulnd´t affect the CPU so much. The router have 256M of RAM and it´s a 7200! I coulnd´t gather more info about this incident because it stopped before I could get the data. The strange thing it´s that the high CPU utilization stopped too. I don´t know if this is a problem of this cisco model or if I´m missing something. Any ideias? [] lwulff
_______________________________________________________________________
Yahoo! Mail O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. http://br.mail.yahoo.com/
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
_______________________________________________________________________ Yahoo! Mail O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. http://br.mail.yahoo.com/ ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- cisco 7200 performance issue Luciano Z (May 22)
- Re: cisco 7200 performance issue Glenn Forbes Fleming Larratt (May 23)
- Re: cisco 7200 performance issue Gary Flynn (May 23)
- <Possible follow-ups>
- Re: cisco 7200 performance issue Wendy Garvin (May 23)
- RE: cisco 7200 performance issue Luciano Z (May 26)