I forgot the version information :-) Itīs a 12.2(12b) box. Another interesting information is that the router does not use SSH, it is connected to a console server. This is configuration is not a regular policy, I still have boxes that use telnet :-( Follow-up on this incident: We report the problem to cisco and the recommendation that we got is 'apply an access-list'. Well, this is a problem to implement. The message we received on the router syslog affected the CPU too (itīs like doing a "debug all" on the console). With the access-list this could be solved. The only question I have is why does RSHELL messages need to be logged while connections to others tcp ports doesnīt? It would be interesting to have a feature to disable logging on service ports that are not in use (suggestion to the cisco guys here? :-) Some of the replys I got recommended this to but letīs analyze the problem of implementing access-lists on this box. This is a access layer box so we have about 80 active customers connected to this router. If we apply an access-list to protect the router by droping all packets destinated to the routerīs interface (and itīs loopbacks) we will end up with an access-list with at least 80 lines (imagine the problem to manage this while activating/deactivating customers). So this is not a solution, at least at this network layer. One thing we did here after the incident is a review of the "schedule allocate" configuration. We first used the values on that classic paper about router securiy wrote by cisco but now we change it a bit and will test this to evalute this new value. Well, thanks for all the replys I got. If we have some new information Iīll post here. [] luciano --- Paul Benedek <paul.benedekat_private> escreveu: > Hi Luciano, > > What is the IOS version that you are running? This > could be a bug. It > would be worth looking at the field notices on CCO > to determine if this is > IOS related. > > Regards > > Paul Benedek > > -----Original Message----- > From: Luciano Z [mailto:user_lucianoat_private] > Sent: 21 May 2003 20:45 > To: incidentsat_private > Subject: cisco 7200 performance issue > > Hi! > > I was responding an incident last night and saw a > strange performance problem with a cisco 7200. > > When I issued a "sh interface" on the two fast > ethernets of my box it was show that I got only > 6Mbps > traffic and normal packet per second rate but when I > "sh logg" the box I got a lot of > "%RCMD-4-RSHPORTATTEMPT: Attempted to connect to > RSHELL from x.y.z.w" messages with spoofed sources. > > Investigating a little more I discovered that this > traffic was pushing the CPU to 98% to 100% of > utilization. Back to the output of "sh logg" I saw > that the box was logging 2 to 3 RSHELL messages per > second. In my opinion this coulndīt affect the CPU > so > much. The router have 256M of RAM and itīs a 7200! > > I coulndīt gather more info about this incident > because it stopped before I could get the data. The > strange thing itīs that the high CPU utilization > stopped too. > > I donīt know if this is a problem of this cisco > model > or if Iīm missing something. Any ideias? > > [] > lwulff > > _______________________________________________________________________ > Yahoo! Mail > O melhor e-mail gratuito da internet: 6MB de espaįo, > antivírus, acesso POP3, > filtro contra spam. > http://br.mail.yahoo.com/ > > ---------------------------------------------------------------------------- > *** Wireless LAN Policies for Security & Management > - NEW White Paper *** > Just like wired networks, wireless LANs require > network security policies > that are enforced to protect WLANs from known > vulnerabilities and threats. > Learn to design, implement and enforce WLAN security > policies to lockdown > enterprise WLANs. > > To get your FREE white paper visit us at: > http://www.securityfocus.com/AirDefense-incidents > ---------------------------------------------------------------------------- > > > _______________________________________________________________________ Yahoo! Mail O melhor e-mail gratuito da internet: 6MB de espaįo, antivírus, acesso POP3, filtro contra spam. http://br.mail.yahoo.com/ ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 26 2003 - 09:05:48 PDT