01-15-2024 01:28 AM
I have a Cisco WS-C4948E switch connected with two ISPs through which I establish a BGP session that announces each IPv4/IPv6 subnet.
The switch is connected to GigabitEthernet1/1 port with a QoS of 150Mbps and represents the connection with ISP1 and TenGigabitEthernet1/50 with a QoS of 2Gbps representing the connection with ISP2.
I have been under a DDoS attack by DNS Amplification for a few days now, targeting all IPs in the advertised subnets. The problem is that my CPU is sitting at 99% even though the cumulative traffic is small and the switch should be processing many more packets without problems.
CPU usage evidence:
show processes cpu sorted
CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 99%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
79 33380786 2451006 13619 61.91% 59.62% 58.90% 0 Cat4k Mgmt LoPri
145 13681631 11384527 1201 25.51% 24.35% 23.81% 0 IP Input
352 6729164 227758 29545 8.15% 11.20% 12.50% 0 OBFL INTR slot-1
78 1214361 4827396 251 1.91% 2.69% 2.68% 0 Cat4k Mgmt HiPri
show processes cpu history
999999999999999999999999999999999999999999999999999999999999
999999999999999999999999999999999999999999999999999999999999
100 **********************************************************
90 **********************************************************
80 **********************************************************
70 **********************************************************
60 **********************************************************
50 **********************************************************
40 **********************************************************
30 **********************************************************
20 **********************************************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
999999999999999999999999999999999999999999999999999999999999
999999999999999999999999999999999999999999999999999999999999
100 ##########################################################
90 ##########################################################
80 ##########################################################
70 ##########################################################
60 ##########################################################
50 ##########################################################
40 ##########################################################
30 ##########################################################
20 ##########################################################
10 ##########################################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
999999999999999
999999999999999
100 ###############
90 ###############
80 ###############
70 ###############
60 ###############
50 ###############
40 ###############
30 ###############
20 ###############
10 ###############
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Traffic:
cisco01#! Orange ISP
cisco01#show interfaces TenGigabitEthernet1/50 | include rate
Queueing strategy: fifo
5 minute input rate 2930014000 bits/sec, 275290 packets/sec
5 minute output rate 836820000 bits/sec, 69316 packets/sec
cisco01#! RCS&RDS ISP
cisco01#show interfaces GigabitEthernet1/1 | include rate
Queueing strategy: fifo
5 minute input rate 219400000 bits/sec, 54281 packets/sec
5 minute output rate 177663000 bits/sec, 16403 packets/sec
cisco01#! node01
cisco01#show interfaces Port-channel3 | include rate
Queueing strategy: fifo
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
cisco01#! dell1
cisco01#show interfaces Port-channel5 | include rate
Queueing strategy: fifo
5 minute input rate 4380000 bits/sec, 1445 packets/sec
5 minute output rate 477389000 bits/sec, 41260 packets/sec
cisco01#! hp1
cisco01#show interfaces TenGigabitEthernet1/49 | include rate
Queueing strategy: fifo
5 minute input rate 1011133000 bits/sec, 84507 packets/sec
5 minute output rate 220475000 bits/sec, 54166 packets/sec
01-15-2024 01:43 AM
what IOS code running on this Kit - is this VSS standalone ?
This is the only who is consuming more CPU here :
Cat4k Mgmt LoPri
check
#show platform health
#show version (how long is the uptime)
what in case if you shutdown one of the Link is this CPU go low ?
Also find troubleshooting guide for Cat 4K
post complete output of ISP connected interface (not only rate)
protect DDoS attack by DNS Amplification (if that can help you) -https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/dos.html
01-15-2024 01:49 AM
Thank you for your insane fast answer!
#show platform health
%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
RkiosObflMan 0.50 0.00 4 0 100 500 0 0 0 0:02
VSI slot-01 1.00 0.35 6 1 100 500 0 0 0 2:40
VSI backplane 1.00 0.00 6 0 100 500 0 0 0 0:00
GalChassisVp 3.00 0.07 20 13 100 500 0 0 0 0:42
S2w-JobEventSchedule 10.00 0.00 10 0 100 500 0 0 0 0:00
Stub-JobEventSchedul 10.00 0.00 10 0 100 500 0 0 0 0:00
Lj-poll 1.00 0.02 2 0 100 500 0 0 0 0:12
StatValueMan Update 1.00 0.03 1 0 100 500 0 0 0 0:18
Pim-review 0.10 0.00 1 0 100 500 0 0 0 0:02
Ebm-host-review 1.00 0.00 8 0 100 500 0 0 0 0:06
Ebm-host-util-review 1.00 0.00 10 0 100 500 0 0 0 0:00
Ebm-port-review 0.10 0.00 1 0 100 500 0 0 0 0:00
Protocol-aging-revie 0.20 0.00 2 0 100 500 0 0 0 0:00
EbmHostRedundancyMan 2.00 0.00 20 0 100 500 0 0 0 0:00
Acl-Flattener 1.00 0.00 10 2 100 500 0 0 0 0:00
GalChassisVp Ondeman 2.00 0.00 2 0 100 500 0 0 0 0:00
KxAclPathMan create/ 1.00 0.00 10 5 100 500 0 0 0 0:11
KxAclPathMan update 2.00 0.00 10 115 100 500 0 0 0 1:28
KxAclPathMan reprogr 1.00 0.00 2 1 100 500 0 0 0 0:00
KxPartialPath Review 2.00 0.00 10 0 100 500 0 0 0 0:00
GalK5TatooineStatsMa 0.70 0.02 4 0 100 500 0 0 0 0:18
MOL FastDropReview 2.00 0.00 15 0 100 500 0 0 0 0:00
IrmMfibEntryMan Revi 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3WCCP Service Gro 2.00 0.00 15 0 100 500 0 0 0 0:00
RkiosL3PortMan AclFe 2.00 0.00 15 5 100 500 0 0 0 0:00
RkiosVs Purged Modul 2.00 0.00 15 0 100 500 0 0 0 0:00
GalK5SupervisorVpFpg 2.00 0.00 0 0 100 500 0 0 0 0:00
GalK5SupervisorVpFpg 2.00 0.00 10 0 100 500 0 0 0 0:00
GalK5SupervisorVpFpg 2.00 0.00 10 0 100 500 0 0 0 0:00
LinecardFpgaUpgrade 0.50 0.00 2 0 100 500 0 0 0 0:00
K5L3FlcMan FwdEntry 2.00 0.00 15 0 100 500 0 0 0 0:00
FwdEntry Zombie Revi 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3FlcMan Cam Shuff 4.00 0.00 25 0 100 500 0 0 0 0:00
K5L3Unciast IFE Revi 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3UnicastRpf IFE R 2.00 0.00 15 53 100 500 0 0 0 0:00
K5L3Unicast Fwd Entr 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3McastMan IrmMfib 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3McastMan ImeSync 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3Unicast Fwd Entr 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3Unicast Adj Chan 2.00 0.00 15 0 100 500 0 0 0 0:05
K5L3Unicast Adj Tabl 2.00 0.00 15 5 100 500 0 0 0 0:41
K5L3Unicast Adj Grou 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3SourceGuardMan S 2.00 0.00 15 0 100 500 0 0 0 0:00
K5L3McastMan RetSync 1.00 0.00 8 0 100 500 0 0 0 0:00
K5FlcHitMan review 2.00 0.01 5 2 100 500 0 0 0 0:40
K5L3SubinterfaceMan 2.00 0.00 15 1 100 500 0 0 0 0:00
K5PortMan Regular Re 2.00 0.22 15 6 100 500 0 0 0 2:23
K5PortMan Ondemand L 6.00 0.75 30 4 100 500 0 0 0 4:47
K5PortMan Stats Revi 2.00 0.00 15 0 100 500 0 0 0 0:11
K5PortMan Tx Queue R 3.00 0.00 15 0 100 500 0 0 0 0:00
K5L2 Vlan Table Revi 2.00 0.00 12 8 100 500 0 0 0 2:06
K5 L2 Aging Table Re 2.00 0.22 20 4 100 500 0 0 0 1:18
K5 L2 Unicast Addres 2.00 0.00 20 1 100 500 0 0 0 0:04
K5 L2 Multicast Addr 2.00 0.00 20 0 100 500 0 0 0 0:03
K5 L2 Hardware Addre 2.00 0.00 20 3 100 500 0 0 0 0:14
K5 L2 Hardware Mac L 1.00 0.00 2 0 100 500 0 0 0 0:00
K5RetStatsMan Review 2.00 0.00 5 0 100 500 0 0 0 0:00
K5CpuMan Review 30.00 69.30 30 23 100 500 88 73 56 533:21
K5ForerunnerPacketMa 2.00 1.46 4 0 100 500 1 1 1 10:38
K5ForerunnerPacketMa 2.00 0.22 4 0 100 500 0 0 0 1:47
K5QosDhmMan Rate DBL 2.00 0.00 7 0 100 500 0 0 0 0:00
K5QosDblMan (dis|en) 1.00 0.00 2 0 100 500 0 0 0 0:00
K5QosPolicerStatsMan 1.00 0.00 10 0 100 500 0 0 0 0:02
K5VlanStatsReview 2.00 1.88 10 5 100 500 2 1 1 14:06
K5VlanStatsTableMan 2.00 0.00 2 0 100 500 0 0 0 0:00
K5VlanStatsTableMan 2.00 0.00 2 0 100 500 0 0 0 0:00
K5RwAdjStatsMan Revi 2.00 0.07 10 7 100 500 0 0 0 2:54
K5AclMan-labeledFlat 1.00 0.00 10 171 100 500 0 0 0 0:00
K5AclLabelMan-punted 1.00 0.00 10 0 100 500 0 0 0 0:02
K5AclCamMan stale en 1.00 0.00 10 5 100 500 0 0 0 0:00
K5AclCamStatsMan hw 3.00 0.01 10 5 100 500 0 0 0 2:04
K5Acl Input Action U 2.00 0.00 15 7 100 500 1 1 1 12:09
K5Acl Output Action 2.00 0.00 15 7 100 500 1 1 1 12:39
K5PktSamp Sampling C 3.00 0.10 3 0 100 500 0 0 0 0:47
K5SgaclMan create/de 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
TODO give valid name 1.00 0.00 10 0 100 500 0 0 0 0:00
RkGenericL3Wccp IrmW 2.00 0.00 10 0 100 500 0 0 0 0:02
RkiosPortMan Port Re 2.00 0.08 12 10 100 500 0 0 0 1:00
Rkios Module State R 4.00 0.02 40 0 100 500 0 0 0 0:13
Rkios Online Diag Re 4.00 0.02 40 0 100 500 0 0 0 0:13
MatMan Review 0.50 0.00 4 0 100 500 0 0 0 0:00
GalDagobahManPowerFa 3.00 0.00 1 0 100 500 0 0 0 0:00
LocalJawaVsiMan VsiR 0.20 0.00 2 0 100 500 0 0 0 0:00
RkiosIpPbr IrmPort R 2.00 0.00 10 1 100 500 0 0 0 0:19
RkiosAclMan Review 3.00 0.05 30 0 100 500 0 0 0 0:25
GalK5DriverMan Revie 5.00 0.00 20 1 100 500 0 0 0 0:00
FrysSpiRomMan 0.50 0.00 2 0 100 500 0 0 0 0:00
GalGlmLinecardVp(1) 5.00 0.28 20 63 100 500 0 0 0 2:16
Temperature monitor 0.40 0.02 4 0 100 500 0 0 0 0:07
GalGlmPollerMan 3.00 0.01 20 0 100 500 0 0 0 0:12
Quack 4.00 0.00 20 0 100 500 0 0 0 0:00
GlmBridgeMan(0) revi 0.50 0.00 2 0 100 500 0 0 0 0:05
Stub periodic global 0.50 0.00 5 0 100 500 0 0 0 0:00
Stub ondemand global 0.50 0.00 5 0 100 500 0 0 0 0:00
Xgstub Stats Review 0.50 0.14 5 0 100 500 0 0 0 1:04
edcControllerMan_(0: 0.40 0.00 4 0 100 500 0 0 0 0:00
edcControllerMan_(0: 0.40 0.00 4 0 100 500 0 0 0 0:00
edcControllerMan_(0: 0.20 0.00 2 0 100 500 0 0 0 0:00
EthPhyPCMan(0:N) per 0.40 0.03 4 1 100 500 0 0 0 0:14
EthPhyPCMan(0:N) ond 0.20 0.01 2 1 100 500 0 0 0 0:05
LinecardDiagMan on d 0.50 0.00 1 0 100 500 0 0 0 0:00
EpmPortGroup(0:N) st 0.50 0.09 2 0 100 500 0 0 0 0:45
EpmPortGroup(0:N) on 0.50 0.06 4 8 100 500 0 0 0 0:26
SfpController(0) 0.50 0.00 0 0 100 500 0 0 0 0:00
EpmPluggableGroup(0: 0.60 0.04 6 3 100 500 0 0 0 0:17
-------------
%CPU Totals 228.90 75.74
Allocation ceiling Current allocation
------------------ ------------------
kbytes % in use kbytes % in use
Chassis 1 Linecard 1 2560.00 43% 1111.42 100%
TSM objects ------------------ ------------------
PacketInfoItem 781.25 0% 0.50 0%
VbufNodes2400 80.50 0% 0.00 0%
VbufNodes1600 55.50 0% 3.46 0%
VbufNodes400 288.00 0% 1.12 50%
VbufNodes64 60.00 0% 0.46 0%
VbufNodes4200 68.37 0% 0.00 0%
Packet 2651.01 0% 0.23 0%
RkiosSysPacketBuf 281.25 0% 1.01 0%
IndexCache 800.78 0% 0.00 0%
K5InternalVlanIdMap 96.00 0% 0.00 0%
K5AclOpDescNode 21504.00 0% 0.73 0%
K5AclRetMapEntryNode 56.00 0% 0.00 0%
K5AclLabelListNode 1024.00 0% 0.00 0%
K5AclIpv6PackedAddrH 1024.00 0% 0.00 0%
K5RwFormatAddrHashEn 5.97 0% 0.00 0%
K5RwFwdControlEntry 8.00 2% 0.18 100%
K5AdjGroups 960.00 0% 5.11 91%
IrmFibUnicastRpfList 8192.00 0% 8.75 92%
IrmSourceGuardEntrys 9092.50 0% 0.00 0%
K5L3FwdEntrys 31200.00 1% 909.60 62%
K5L3FwdEntryAvlTree2 12480.00 0% 182.06 62%
K5L3FwdTreeEntrys 21840.00 1% 637.21 62%
K5L3FwdTreeEntryAvlT 49920.00 0% 181.92 62%
IrmMfibFastDropFlowM 576.00 0% 0.00 0%
K5QosTxQueSelTableBl 12.00 2% 0.32 100%
K5QosPolicerBlockNod 2.00 0% 0.00 0%
K5QosPolicerBlockMem 69.00 0% 0.00 0%
K5QosPolicerMemAlloc 448.00 0% 0.00 0%
K5QosFeatureInfoList 2560.00 0% 0.54 71%
K5QosLabelToFeatureE 1920.00 0% 0.11 50%
K5QosPathFeatureInfo 512.00 0% 0.03 50%
K5SgaclEntry 2176.00 0% 0.00 0%
K5SgaclIpDgtEntry 96.00 0% 0.00 0%
K5CpuPacketInfoItem 781.25 0% 0.00 0%
MatEntrys 19456.00 0% 2.96 100%
MatEntryTableIterato 1.00 0% 0.03 0%
RkiosL2MacVlanEntrie 80.00 0% 0.00 0%
RkiosL3Port 2755.37 0% 1.31 100%
AclContextListNode 120.00 0% 0.00 0%
RkiosEpmManAclContex 300.00 0% 0.00 0%
PimPhyports 1851.56 5% 105.53 100%
PimPorts 1558.59 8% 125.72 100%
PimModules 526.00 0% 2.05 100%
PimSlots 18.00 0% 0.07 100%
PimChassis 8.26 50% 4.13 100%
PimQuack 1.75 3% 0.05 100%
EbmVlans 14944.00 0% 36.48 100%
EbmVlanGroupEntrys 8448.00 0% 1.28 100%
EbmPorts 1031.25 7% 81.12 100%
EbmPortHostEntrys 3182.37 0% 0.00 0%
EbmIeNodes 540.00 1% 5.80 100%
EbmPortVlanAclFeatur 8064.00 0% 0.00 0%
EbmPortVlanMap Alloc 64.00 0% 0.00 0%
EbmSortedHostTableIt 1.87 0% 0.00 0%
EbmSortedGroupTableI 1.87 0% 0.05 0%
EbmHostRedundancyMan 1082.81 0% 0.00 0%
EbmHostAgeRedundancy 1082.81 0% 0.00 0%
EbmMvrGroup 12.00 0% 0.00 0%
EbmMvrReceiverVlanPo 3648.00 0% 0.00 0%
IrmVrfs 630.00 0% 4.92 100%
IrmFibLoadBalances 1280.00 0% 0.07 100%
IrmFibAdjs 4224.00 0% 32.05 94%
IrmPortMemMan 9097.65 0% 6.42 100%
IrmPortEtherAddrEntr 500.00 0% 0.00 0%
IrmFibEntries 14336.00 1% 265.56 99%
IrmMfibEntryMemMan 14336.00 0% 0.00 0%
IrmWccpMemMan 104.68 0% 0.00 0%
IrmWccpServiceGroupL 0.06 0% 0.00 0%
AclOp 2176.00 0% 0.07 100%
AclOpAceSet 4352.00 0% 0.15 100%
AclClassifier 1280.00 0% 1.95 100%
AclFeature 6381.37 0% 10.31 100%
Acl 1536.00 0% 2.48 100%
Ace24 10880.00 0% 5.85 98%
Ace48 17408.00 0% 3.87 100%
AclFlowLabelListNode 7616.00 0% 0.00 0%
AceActionDescStorage 1088.00 0% 0.00 0%
AclListNode 512.00 0% 0.40 100%
AceListNode 102400.00 0% 0.68 72%
AclClassifierActionL 4096.00 0% 2.93 100%
AclLayerFeatureListN 512.00 0% 0.25 62%
AclClassifierListNod 512.00 0% 0.00 0%
OpenFlow24 3840.00 0% 0.18 100%
OpenFlow48 4800.00 0% 0.23 100%
OpenFlowRewriteActio 3840.00 0% 0.00 0%
OpenFlowSeqNumMap 625.00 0% 0.00 0%
TableMapMan NameToTa 77.00 0% 0.00 0%
TableMapAllocator 178.00 0% 0.00 0%
FlatAcl 512.00 0% 0.46 36%
FlatAce24 22528.00 0% 5.24 70%
FlatAce48 34816.00 0% 1.19 33%
FlatAceActionListNod 921600.00 0% 5.83 77%
FlatAclOpSetStorage 6144.00 0% 0.21 33%
FlatAclCacheNode 4608.00 0% 1.54 90%
FlatAclListNode 256.00 0% 0.16 4%
QosFeatureClassifier 353.03 0% 0.00 0%
QosFeatureClassifier 706.06 0% 0.00 0%
QosClassifierActionL 9884.87 0% 0.00 0%
QosNestedClassifierA 21181.87 0% 0.35 83%
QosPortVlanAclFeatur 1224.00 0% 0.00 0%
QoS Policers 37000.00 0% 0.00 0%
Qos FlowFnf 7.81 0% 0.00 0%
SgAclCells 34815.46 0% 0.00 0%
KxAclPath 2432.00 0% 3.48 100%
KxAclPathListNode 1280.00 0% 0.00 0%
KxAclConstPathListNo 1280.00 0% 0.67 55%
MacsecTransmitScMan 84.00 0% 0.00 0%
MacsecTransmitSaMan 304.00 0% 0.00 0%
MacsecReceiveScMan 168.00 0% 0.00 0%
MacsecReceiveSaMan 448.00 0% 0.00 0%
Rkios QoS PolicyMaps 445.67 0% 0.00 0%
FlowMetadataFlowSet 450.00 0% 0.00 0%
AclClassifierIdToCla 48.00 0% 0.00 0%
Rkios QoS ClassMaps 1024.00 0% 0.12 100%
AclToIosFilterMapLis 384.00 0% 0.00 0%
Rkios QoS Policers 3500.00 0% 0.00 0%
RkiosAclMan NamedGal 129.56 0% 0.09 100%
EpmPolicyListNode 120.00 0% 0.00 0%
EpmAceListNode 192.00 0% 0.00 0%
RkiosAclSecurityEpmP 4080.00 0% 0.00 0%
Rkios Acl VlanMaps 144.00 0% 0.00 0%
Rkios Acl VlanMapEnt 1406.25 0% 0.00 0%
RkiosTableMap Galios 3.00 0% 0.00 0%
KxAclLabeledFlatAcl 3840.00 0% 1.17 90%
KxAclLabeledFlatAclE 3072.00 0% 0.93 90%
EbmVlanHostEntrys 3437.50 0% 10.56 98%
FlowTable 3.16 0% 0.00 0%
FlowManIpSgtHashEntr 281.25 0% 0.00 0%
MOL PktSampDataSrc 9.37 0% 0.00 0%
MOL PktSampler 11.00 0% 0.00 0%
VsiBuffers(4096) 400.00 0% 0.00 0%
VsiBuffers(1024) 1500.00 6% 96.00 100%
VsiBuffers(128) 762.50 0% 5.62 0%
VsiBuffers(16) 146.87 0% 4.46 4%
VsiTransactions(1) 35.15 1% 5.74 10%
VsiTransactions(10) 38.08 20% 22.24 34%
VsiTransactions(18) 11.01 0% 0.18 0%
VsiTransactions(25) 12.65 0% 0.42 0%
VsiTransactions(80) 25.54 0% 0.85 0%
VsiTransactionRespon 5.70 7% 1.14 37%
VsiReqPool(s2w) 28.12 1% 1.31 28%
VsiReqPool(vli) 111.71 8% 17.18 52%
VsiReqPool(mdio22) 46.87 0% 25.31 0%
VsiReqPool(mdio45) 32.81 0% 0.56 0%
GalGbicEntrys 2.48 0% 0.00 0%
IrmMfibIntrfs 6144.00 0% 0.00 0%
Event Nodes 160.00 0% 0.00 0%
Event Nodes 160.00 0% 0.03 0%
K5L3FlcEntryAvlTree2 3225.58 7% 363.84 62%
K5PktSampPortStatsNo 2.00 0% 0.00 0%
K5PktSampVlanStatsNo 2.00 0% 0.00 0%
K5AclLabelSignatureM 10880.00 0% 3.65 90%
K5AclLabelMapEntryPa 1408.00 0% 0.00 0%
K5RwAdjs 5376.00 0% 21.49 91%
TableMapMan NameToTa 77.00 0% 0.00 0%
TableMapAllocator 178.00 0% 0.00 0%
InpTosMarkTbl BlockA 14.00 1% 0.21 100%
InpCosMarkTbl BlockA 14.00 1% 0.21 100%
InpExpMarkTbl BlockA 14.00 1% 0.21 100%
OutTosMarkTbl BlockA 14.00 1% 0.21 100%
OutCosMarkTbl BlockA 14.00 1% 0.21 100%
OutExpMarkTbl BlockA 14.00 3% 0.49 100%
K5TxPacketInfo 384.00 0% 0.32 0%
K5TxPacket 320.00 0% 0.01 0%
RkisoIpPbrRouteMaps 97.65 0% 0.00 0%
CommandTables 48.00 14% 6.79 100%
------------------ ------------------
TSM totals 1614938.42 0% 3249.45 70%
cisco01#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICESK9-M), Version 15.2(4)E10a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 28-Sep-20 08:44 by prod_rel_team
ROM: 12.2(44r)SG11
cisco02 uptime is 15 hours, 55 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500e-entservicesk9-mz.152-4.E10a.bin"
Hobgoblin Revision 21, Fortooine Revision 1.40
01-15-2024 03:12 AM
How you know this is DDoS attack?
MHM
01-15-2024 03:14 AM
Created a monitor and dumped traffic with tcpdump in Linux.
Many packets with random IPs on port 53.
Someone spoofing my subnet and my network receive answers for those fake DNS requests.
01-15-2024 03:21 AM
OK, apply ACL in interfafce connect to internet deny this port
MHM
01-15-2024 03:23 AM
That won't stop the attacker to use full bandwidth between me and ISPs.
01-15-2024 03:26 AM
No but it protect your SW from high CPU
and you need to contact ISP for this DDoS, they must drop these traffic from their site
MHM
01-15-2024 04:22 AM
For some reason, those deny rules do not fire:
no ip access-list extended ACL-INFRASTRUCTURE-IN
ip access-list extended ACL-INFRASTRUCTURE-IN
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
deny ip any any option any-options
permit udp any 188.241.240.0 0.0.1.255 eq domain
permit udp any host 8.8.8.8 eq domain
permit udp any host 8.8.4.4 eq domain
permit udp any host 1.1.1.1 eq domain
permit udp any host 1.0.0.1 eq domain
permit udp any host 1.0.0.1 eq domain
deny udp any any eq domain
permit ip any any
!
no ip access-list extended ACL-INFRASTRUCTURE-OUT
ip access-list extended ACL-INFRASTRUCTURE-OUT
permit udp any 188.241.240.0 0.0.1.255 eq domain
permit udp any host 8.8.8.8 eq domain
permit udp any host 8.8.4.4 eq domain
permit udp any host 1.1.1.1 eq domain
permit udp any host 1.0.0.1 eq domain
permit udp any host 1.0.0.1 eq domain
deny udp any any eq domain
permit ip any any
!
interface vlan 10
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
no ip redirects
no ip unreachables
!
interface vlan 20
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
no ip redirects
no ip unreachables
!
Vlan 10, 20 -> ISPs.
Traffic looks like this, where 188.241.240.0/24 is my subnet.
01-15-2024 05:28 AM
deny udp any any fragments
remove fragments then check
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide