Re: Cisco WS-C4948E CPU Usage 99% Constantly during DDoS attack

florinmarian · ‎01-15-2024

I have a Cisco WS-C4948E switch connected with two ISPs through which I establish a BGP session that announces each IPv4/IPv6 subnet.
The switch is connected to GigabitEthernet1/1 port with a QoS of 150Mbps and represents the connection with ISP1 and TenGigabitEthernet1/50 with a QoS of 2Gbps representing the connection with ISP2.
I have been under a DDoS attack by DNS Amplification for a few days now, targeting all IPs in the advertised subnets. The problem is that my CPU is sitting at 99% even though the cumulative traffic is small and the switch should be processing many more packets without problems.

CPU usage evidence:

show processes cpu sorted
CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 99%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
  79    33380786     2451006      13619 61.91% 59.62% 58.90%   0 Cat4k Mgmt LoPri
 145    13681631    11384527       1201 25.51% 24.35% 23.81%   0 IP Input
 352     6729164      227758      29545  8.15% 11.20% 12.50%   0 OBFL INTR slot-1
  78     1214361     4827396        251  1.91%  2.69%  2.68%   0 Cat4k Mgmt HiPri


show processes cpu history
      999999999999999999999999999999999999999999999999999999999999
      999999999999999999999999999999999999999999999999999999999999
  100 **********************************************************
   90 **********************************************************
   80 **********************************************************
   70 **********************************************************
   60 **********************************************************
   50 **********************************************************
   40 **********************************************************
   30 **********************************************************
   20 **********************************************************
   10 **********************************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)




      999999999999999999999999999999999999999999999999999999999999
      999999999999999999999999999999999999999999999999999999999999
  100 ##########################################################
   90 ##########################################################
   80 ##########################################################
   70 ##########################################################
   60 ##########################################################
   50 ##########################################################
   40 ##########################################################
   30 ##########################################################
   20 ##########################################################
   10 ##########################################################
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%




      999999999999999
      999999999999999
  100 ###############
   90 ###############
   80 ###############
   70 ###############
   60 ###############
   50 ###############
   40 ###############
   30 ###############
   20 ###############
   10 ###############
     0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
               0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

Traffic:

cisco01#! Orange ISP
cisco01#show interfaces TenGigabitEthernet1/50 | include rate
  Queueing strategy: fifo
  5 minute input rate 2930014000 bits/sec, 275290 packets/sec
  5 minute output rate 836820000 bits/sec, 69316 packets/sec
cisco01#! RCS&RDS ISP
cisco01#show interfaces GigabitEthernet1/1 | include rate
  Queueing strategy: fifo
  5 minute input rate 219400000 bits/sec, 54281 packets/sec
  5 minute output rate 177663000 bits/sec, 16403 packets/sec
cisco01#! node01
cisco01#show interfaces Port-channel3 | include rate
  Queueing strategy: fifo
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
cisco01#! dell1
cisco01#show interfaces Port-channel5 | include rate
  Queueing strategy: fifo
  5 minute input rate 4380000 bits/sec, 1445 packets/sec
  5 minute output rate 477389000 bits/sec, 41260 packets/sec
cisco01#! hp1
cisco01#show interfaces TenGigabitEthernet1/49 | include rate
  Queueing strategy: fifo
  5 minute input rate 1011133000 bits/sec, 84507 packets/sec
  5 minute output rate 220475000 bits/sec, 54166 packets/sec

balaji.bandi · ‎01-15-2024

what IOS code running on this Kit - is this VSS standalone ?

This is the only who is consuming more CPU here :

Cat4k Mgmt LoPri

check

#show platform health

#show version (how long is the uptime)

what in case if you shutdown one of the Link is this CPU go low ?

Also find troubleshooting guide for Cat 4K

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/65591-cat4500-high-cpu.html

post complete output of ISP connected interface (not only rate)

protect DDoS attack by DNS Amplification (if that can help you) -https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/dos.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

florinmarian · ‎01-15-2024

Thank you for your insane fast answer!

#show platform health
                     %CPU   %CPU    RunTimeMax   Priority  Average %CPU  Total
                     Target Actual Target Actual   Fg   Bg 5Sec Min Hour  CPU
RkiosObflMan           0.50   0.00      4      0  100  500    0   0    0  0:02
VSI slot-01            1.00   0.35      6      1  100  500    0   0    0  2:40
VSI backplane          1.00   0.00      6      0  100  500    0   0    0  0:00
GalChassisVp           3.00   0.07     20     13  100  500    0   0    0  0:42
S2w-JobEventSchedule  10.00   0.00     10      0  100  500    0   0    0  0:00
Stub-JobEventSchedul  10.00   0.00     10      0  100  500    0   0    0  0:00
Lj-poll                1.00   0.02      2      0  100  500    0   0    0  0:12
StatValueMan Update    1.00   0.03      1      0  100  500    0   0    0  0:18
Pim-review             0.10   0.00      1      0  100  500    0   0    0  0:02
Ebm-host-review        1.00   0.00      8      0  100  500    0   0    0  0:06
Ebm-host-util-review   1.00   0.00     10      0  100  500    0   0    0  0:00
Ebm-port-review        0.10   0.00      1      0  100  500    0   0    0  0:00
Protocol-aging-revie   0.20   0.00      2      0  100  500    0   0    0  0:00
EbmHostRedundancyMan   2.00   0.00     20      0  100  500    0   0    0  0:00
Acl-Flattener          1.00   0.00     10      2  100  500    0   0    0  0:00
GalChassisVp Ondeman   2.00   0.00      2      0  100  500    0   0    0  0:00
KxAclPathMan create/   1.00   0.00     10      5  100  500    0   0    0  0:11
KxAclPathMan update    2.00   0.00     10    115  100  500    0   0    0  1:28
KxAclPathMan reprogr   1.00   0.00      2      1  100  500    0   0    0  0:00
KxPartialPath Review   2.00   0.00     10      0  100  500    0   0    0  0:00
GalK5TatooineStatsMa   0.70   0.02      4      0  100  500    0   0    0  0:18
MOL FastDropReview     2.00   0.00     15      0  100  500    0   0    0  0:00
IrmMfibEntryMan Revi   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3WCCP Service Gro   2.00   0.00     15      0  100  500    0   0    0  0:00
RkiosL3PortMan AclFe   2.00   0.00     15      5  100  500    0   0    0  0:00
RkiosVs Purged Modul   2.00   0.00     15      0  100  500    0   0    0  0:00
GalK5SupervisorVpFpg   2.00   0.00      0      0  100  500    0   0    0  0:00
GalK5SupervisorVpFpg   2.00   0.00     10      0  100  500    0   0    0  0:00
GalK5SupervisorVpFpg   2.00   0.00     10      0  100  500    0   0    0  0:00
LinecardFpgaUpgrade    0.50   0.00      2      0  100  500    0   0    0  0:00
K5L3FlcMan FwdEntry    2.00   0.00     15      0  100  500    0   0    0  0:00
FwdEntry Zombie Revi   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3FlcMan Cam Shuff   4.00   0.00     25      0  100  500    0   0    0  0:00
K5L3Unciast IFE Revi   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3UnicastRpf IFE R   2.00   0.00     15     53  100  500    0   0    0  0:00
K5L3Unicast Fwd Entr   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3McastMan IrmMfib   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3McastMan ImeSync   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3Unicast Fwd Entr   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3Unicast Adj Chan   2.00   0.00     15      0  100  500    0   0    0  0:05
K5L3Unicast Adj Tabl   2.00   0.00     15      5  100  500    0   0    0  0:41
K5L3Unicast Adj Grou   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3SourceGuardMan S   2.00   0.00     15      0  100  500    0   0    0  0:00
K5L3McastMan RetSync   1.00   0.00      8      0  100  500    0   0    0  0:00
K5FlcHitMan review     2.00   0.01      5      2  100  500    0   0    0  0:40
K5L3SubinterfaceMan    2.00   0.00     15      1  100  500    0   0    0  0:00
K5PortMan Regular Re   2.00   0.22     15      6  100  500    0   0    0  2:23
K5PortMan Ondemand L   6.00   0.75     30      4  100  500    0   0    0  4:47
K5PortMan Stats Revi   2.00   0.00     15      0  100  500    0   0    0  0:11
K5PortMan Tx Queue R   3.00   0.00     15      0  100  500    0   0    0  0:00
K5L2 Vlan Table Revi   2.00   0.00     12      8  100  500    0   0    0  2:06
K5 L2 Aging Table Re   2.00   0.22     20      4  100  500    0   0    0  1:18
K5 L2 Unicast Addres   2.00   0.00     20      1  100  500    0   0    0  0:04
K5 L2 Multicast Addr   2.00   0.00     20      0  100  500    0   0    0  0:03
K5 L2 Hardware Addre   2.00   0.00     20      3  100  500    0   0    0  0:14
K5 L2 Hardware Mac L   1.00   0.00      2      0  100  500    0   0    0  0:00
K5RetStatsMan Review   2.00   0.00      5      0  100  500    0   0    0  0:00
K5CpuMan Review       30.00  69.30     30     23  100  500   88  73   56  533:21
K5ForerunnerPacketMa   2.00   1.46      4      0  100  500    1   1    1  10:38
K5ForerunnerPacketMa   2.00   0.22      4      0  100  500    0   0    0  1:47
K5QosDhmMan Rate DBL   2.00   0.00      7      0  100  500    0   0    0  0:00
K5QosDblMan (dis|en)   1.00   0.00      2      0  100  500    0   0    0  0:00
K5QosPolicerStatsMan   1.00   0.00     10      0  100  500    0   0    0  0:02
K5VlanStatsReview      2.00   1.88     10      5  100  500    2   1    1  14:06
K5VlanStatsTableMan    2.00   0.00      2      0  100  500    0   0    0  0:00
K5VlanStatsTableMan    2.00   0.00      2      0  100  500    0   0    0  0:00
K5RwAdjStatsMan Revi   2.00   0.07     10      7  100  500    0   0    0  2:54
K5AclMan-labeledFlat   1.00   0.00     10    171  100  500    0   0    0  0:00
K5AclLabelMan-punted   1.00   0.00     10      0  100  500    0   0    0  0:02
K5AclCamMan stale en   1.00   0.00     10      5  100  500    0   0    0  0:00
K5AclCamStatsMan hw    3.00   0.01     10      5  100  500    0   0    0  2:04
K5Acl Input Action U   2.00   0.00     15      7  100  500    1   1    1  12:09
K5Acl Output Action    2.00   0.00     15      7  100  500    1   1    1  12:39
K5PktSamp Sampling C   3.00   0.10      3      0  100  500    0   0    0  0:47
K5SgaclMan create/de   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
TODO give valid name   1.00   0.00     10      0  100  500    0   0    0  0:00
RkGenericL3Wccp IrmW   2.00   0.00     10      0  100  500    0   0    0  0:02
RkiosPortMan Port Re   2.00   0.08     12     10  100  500    0   0    0  1:00
Rkios Module State R   4.00   0.02     40      0  100  500    0   0    0  0:13
Rkios Online Diag Re   4.00   0.02     40      0  100  500    0   0    0  0:13
MatMan Review          0.50   0.00      4      0  100  500    0   0    0  0:00
GalDagobahManPowerFa   3.00   0.00      1      0  100  500    0   0    0  0:00
LocalJawaVsiMan VsiR   0.20   0.00      2      0  100  500    0   0    0  0:00
RkiosIpPbr IrmPort R   2.00   0.00     10      1  100  500    0   0    0  0:19
RkiosAclMan Review     3.00   0.05     30      0  100  500    0   0    0  0:25
GalK5DriverMan Revie   5.00   0.00     20      1  100  500    0   0    0  0:00
FrysSpiRomMan          0.50   0.00      2      0  100  500    0   0    0  0:00
GalGlmLinecardVp(1)    5.00   0.28     20     63  100  500    0   0    0  2:16
Temperature monitor    0.40   0.02      4      0  100  500    0   0    0  0:07
GalGlmPollerMan        3.00   0.01     20      0  100  500    0   0    0  0:12
Quack                  4.00   0.00     20      0  100  500    0   0    0  0:00
GlmBridgeMan(0) revi   0.50   0.00      2      0  100  500    0   0    0  0:05
Stub periodic global   0.50   0.00      5      0  100  500    0   0    0  0:00
Stub ondemand global   0.50   0.00      5      0  100  500    0   0    0  0:00
Xgstub Stats Review    0.50   0.14      5      0  100  500    0   0    0  1:04
edcControllerMan_(0:   0.40   0.00      4      0  100  500    0   0    0  0:00
edcControllerMan_(0:   0.40   0.00      4      0  100  500    0   0    0  0:00
edcControllerMan_(0:   0.20   0.00      2      0  100  500    0   0    0  0:00
EthPhyPCMan(0:N) per   0.40   0.03      4      1  100  500    0   0    0  0:14
EthPhyPCMan(0:N) ond   0.20   0.01      2      1  100  500    0   0    0  0:05
LinecardDiagMan on d   0.50   0.00      1      0  100  500    0   0    0  0:00
EpmPortGroup(0:N) st   0.50   0.09      2      0  100  500    0   0    0  0:45
EpmPortGroup(0:N) on   0.50   0.06      4      8  100  500    0   0    0  0:26
SfpController(0)       0.50   0.00      0      0  100  500    0   0    0  0:00
EpmPluggableGroup(0:   0.60   0.04      6      3  100  500    0   0    0  0:17
                     -------------
%CPU Totals          228.90  75.74

                       Allocation ceiling        Current allocation
                       ------------------        ------------------
                       kbytes    % in use        kbytes    % in use

Chassis 1 Linecard 1     2560.00      43%         1111.42      100%
TSM objects            ------------------        ------------------
PacketInfoItem            781.25       0%            0.50        0%
VbufNodes2400              80.50       0%            0.00        0%
VbufNodes1600              55.50       0%            3.46        0%
VbufNodes400              288.00       0%            1.12       50%
VbufNodes64                60.00       0%            0.46        0%
VbufNodes4200              68.37       0%            0.00        0%
Packet                   2651.01       0%            0.23        0%
RkiosSysPacketBuf         281.25       0%            1.01        0%
IndexCache                800.78       0%            0.00        0%
K5InternalVlanIdMap        96.00       0%            0.00        0%
K5AclOpDescNode         21504.00       0%            0.73        0%
K5AclRetMapEntryNode       56.00       0%            0.00        0%
K5AclLabelListNode       1024.00       0%            0.00        0%
K5AclIpv6PackedAddrH     1024.00       0%            0.00        0%
K5RwFormatAddrHashEn        5.97       0%            0.00        0%
K5RwFwdControlEntry         8.00       2%            0.18      100%
K5AdjGroups               960.00       0%            5.11       91%
IrmFibUnicastRpfList     8192.00       0%            8.75       92%
IrmSourceGuardEntrys     9092.50       0%            0.00        0%
K5L3FwdEntrys           31200.00       1%          909.60       62%
K5L3FwdEntryAvlTree2    12480.00       0%          182.06       62%
K5L3FwdTreeEntrys       21840.00       1%          637.21       62%
K5L3FwdTreeEntryAvlT    49920.00       0%          181.92       62%
IrmMfibFastDropFlowM      576.00       0%            0.00        0%
K5QosTxQueSelTableBl       12.00       2%            0.32      100%
K5QosPolicerBlockNod        2.00       0%            0.00        0%
K5QosPolicerBlockMem       69.00       0%            0.00        0%
K5QosPolicerMemAlloc      448.00       0%            0.00        0%
K5QosFeatureInfoList     2560.00       0%            0.54       71%
K5QosLabelToFeatureE     1920.00       0%            0.11       50%
K5QosPathFeatureInfo      512.00       0%            0.03       50%
K5SgaclEntry             2176.00       0%            0.00        0%
K5SgaclIpDgtEntry          96.00       0%            0.00        0%
K5CpuPacketInfoItem       781.25       0%            0.00        0%
MatEntrys               19456.00       0%            2.96      100%
MatEntryTableIterato        1.00       0%            0.03        0%
RkiosL2MacVlanEntrie       80.00       0%            0.00        0%
RkiosL3Port              2755.37       0%            1.31      100%
AclContextListNode        120.00       0%            0.00        0%
RkiosEpmManAclContex      300.00       0%            0.00        0%
PimPhyports              1851.56       5%          105.53      100%
PimPorts                 1558.59       8%          125.72      100%
PimModules                526.00       0%            2.05      100%
PimSlots                   18.00       0%            0.07      100%
PimChassis                  8.26      50%            4.13      100%
PimQuack                    1.75       3%            0.05      100%
EbmVlans                14944.00       0%           36.48      100%
EbmVlanGroupEntrys       8448.00       0%            1.28      100%
EbmPorts                 1031.25       7%           81.12      100%
EbmPortHostEntrys        3182.37       0%            0.00        0%
EbmIeNodes                540.00       1%            5.80      100%
EbmPortVlanAclFeatur     8064.00       0%            0.00        0%
EbmPortVlanMap Alloc       64.00       0%            0.00        0%
EbmSortedHostTableIt        1.87       0%            0.00        0%
EbmSortedGroupTableI        1.87       0%            0.05        0%
EbmHostRedundancyMan     1082.81       0%            0.00        0%
EbmHostAgeRedundancy     1082.81       0%            0.00        0%
EbmMvrGroup                12.00       0%            0.00        0%
EbmMvrReceiverVlanPo     3648.00       0%            0.00        0%
IrmVrfs                   630.00       0%            4.92      100%
IrmFibLoadBalances       1280.00       0%            0.07      100%
IrmFibAdjs               4224.00       0%           32.05       94%
IrmPortMemMan            9097.65       0%            6.42      100%
IrmPortEtherAddrEntr      500.00       0%            0.00        0%
IrmFibEntries           14336.00       1%          265.56       99%
IrmMfibEntryMemMan      14336.00       0%            0.00        0%
IrmWccpMemMan             104.68       0%            0.00        0%
IrmWccpServiceGroupL        0.06       0%            0.00        0%
AclOp                    2176.00       0%            0.07      100%
AclOpAceSet              4352.00       0%            0.15      100%
AclClassifier            1280.00       0%            1.95      100%
AclFeature               6381.37       0%           10.31      100%
Acl                      1536.00       0%            2.48      100%
Ace24                   10880.00       0%            5.85       98%
Ace48                   17408.00       0%            3.87      100%
AclFlowLabelListNode     7616.00       0%            0.00        0%
AceActionDescStorage     1088.00       0%            0.00        0%
AclListNode               512.00       0%            0.40      100%
AceListNode            102400.00       0%            0.68       72%
AclClassifierActionL     4096.00       0%            2.93      100%
AclLayerFeatureListN      512.00       0%            0.25       62%
AclClassifierListNod      512.00       0%            0.00        0%
OpenFlow24               3840.00       0%            0.18      100%
OpenFlow48               4800.00       0%            0.23      100%
OpenFlowRewriteActio     3840.00       0%            0.00        0%
OpenFlowSeqNumMap         625.00       0%            0.00        0%
TableMapMan NameToTa       77.00       0%            0.00        0%
TableMapAllocator         178.00       0%            0.00        0%
FlatAcl                   512.00       0%            0.46       36%
FlatAce24               22528.00       0%            5.24       70%
FlatAce48               34816.00       0%            1.19       33%
FlatAceActionListNod   921600.00       0%            5.83       77%
FlatAclOpSetStorage      6144.00       0%            0.21       33%
FlatAclCacheNode         4608.00       0%            1.54       90%
FlatAclListNode           256.00       0%            0.16        4%
QosFeatureClassifier      353.03       0%            0.00        0%
QosFeatureClassifier      706.06       0%            0.00        0%
QosClassifierActionL     9884.87       0%            0.00        0%
QosNestedClassifierA    21181.87       0%            0.35       83%
QosPortVlanAclFeatur     1224.00       0%            0.00        0%
QoS Policers            37000.00       0%            0.00        0%
Qos FlowFnf                 7.81       0%            0.00        0%
SgAclCells              34815.46       0%            0.00        0%
KxAclPath                2432.00       0%            3.48      100%
KxAclPathListNode        1280.00       0%            0.00        0%
KxAclConstPathListNo     1280.00       0%            0.67       55%
MacsecTransmitScMan        84.00       0%            0.00        0%
MacsecTransmitSaMan       304.00       0%            0.00        0%
MacsecReceiveScMan        168.00       0%            0.00        0%
MacsecReceiveSaMan        448.00       0%            0.00        0%
Rkios QoS PolicyMaps      445.67       0%            0.00        0%
FlowMetadataFlowSet       450.00       0%            0.00        0%
AclClassifierIdToCla       48.00       0%            0.00        0%
Rkios QoS ClassMaps      1024.00       0%            0.12      100%
AclToIosFilterMapLis      384.00       0%            0.00        0%
Rkios QoS Policers       3500.00       0%            0.00        0%
RkiosAclMan NamedGal      129.56       0%            0.09      100%
EpmPolicyListNode         120.00       0%            0.00        0%
EpmAceListNode            192.00       0%            0.00        0%
RkiosAclSecurityEpmP     4080.00       0%            0.00        0%
Rkios Acl VlanMaps        144.00       0%            0.00        0%
Rkios Acl VlanMapEnt     1406.25       0%            0.00        0%
RkiosTableMap Galios        3.00       0%            0.00        0%
KxAclLabeledFlatAcl      3840.00       0%            1.17       90%
KxAclLabeledFlatAclE     3072.00       0%            0.93       90%
EbmVlanHostEntrys        3437.50       0%           10.56       98%
FlowTable                   3.16       0%            0.00        0%
FlowManIpSgtHashEntr      281.25       0%            0.00        0%
MOL PktSampDataSrc          9.37       0%            0.00        0%
MOL PktSampler             11.00       0%            0.00        0%
VsiBuffers(4096)          400.00       0%            0.00        0%
VsiBuffers(1024)         1500.00       6%           96.00      100%
VsiBuffers(128)           762.50       0%            5.62        0%
VsiBuffers(16)            146.87       0%            4.46        4%
VsiTransactions(1)         35.15       1%            5.74       10%
VsiTransactions(10)        38.08      20%           22.24       34%
VsiTransactions(18)        11.01       0%            0.18        0%
VsiTransactions(25)        12.65       0%            0.42        0%
VsiTransactions(80)        25.54       0%            0.85        0%
VsiTransactionRespon        5.70       7%            1.14       37%
VsiReqPool(s2w)            28.12       1%            1.31       28%
VsiReqPool(vli)           111.71       8%           17.18       52%
VsiReqPool(mdio22)         46.87       0%           25.31        0%
VsiReqPool(mdio45)         32.81       0%            0.56        0%
GalGbicEntrys               2.48       0%            0.00        0%
IrmMfibIntrfs            6144.00       0%            0.00        0%
Event Nodes               160.00       0%            0.00        0%
Event Nodes               160.00       0%            0.03        0%
K5L3FlcEntryAvlTree2     3225.58       7%          363.84       62%
K5PktSampPortStatsNo        2.00       0%            0.00        0%
K5PktSampVlanStatsNo        2.00       0%            0.00        0%
K5AclLabelSignatureM    10880.00       0%            3.65       90%
K5AclLabelMapEntryPa     1408.00       0%            0.00        0%
K5RwAdjs                 5376.00       0%           21.49       91%
TableMapMan NameToTa       77.00       0%            0.00        0%
TableMapAllocator         178.00       0%            0.00        0%
InpTosMarkTbl BlockA       14.00       1%            0.21      100%
InpCosMarkTbl BlockA       14.00       1%            0.21      100%
InpExpMarkTbl BlockA       14.00       1%            0.21      100%
OutTosMarkTbl BlockA       14.00       1%            0.21      100%
OutCosMarkTbl BlockA       14.00       1%            0.21      100%
OutExpMarkTbl BlockA       14.00       3%            0.49      100%
K5TxPacketInfo            384.00       0%            0.32        0%
K5TxPacket                320.00       0%            0.01        0%
RkisoIpPbrRouteMaps        97.65       0%            0.00        0%
CommandTables              48.00      14%            6.79      100%
                       ------------------        ------------------
TSM totals            1614938.42       0%         3249.45       70%

cisco01#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch  Software (cat4500e-ENTSERVICESK9-M), Version 15.2(4)E10a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 28-Sep-20 08:44 by prod_rel_team

ROM: 12.2(44r)SG11
cisco02 uptime is 15 hours, 55 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500e-entservicesk9-mz.152-4.E10a.bin"
Hobgoblin Revision 21, Fortooine Revision 1.40

MHM Cisco World · ‎01-15-2024

How you know this is DDoS attack?

MHM

florinmarian · ‎01-15-2024

Created a monitor and dumped traffic with tcpdump in Linux.

Many packets with random IPs on port 53.

Someone spoofing my subnet and my network receive answers for those fake DNS requests.

MHM Cisco World · ‎01-15-2024

OK, apply ACL in interfafce connect to internet deny this port
MHM

florinmarian · ‎01-15-2024

That won't stop the attacker to use full bandwidth between me and ISPs.

MHM Cisco World · ‎01-15-2024

No but it protect your SW from high CPU
and you need to contact ISP for this DDoS, they must drop these traffic from their site
MHM

florinmarian · ‎01-15-2024

For some reason, those deny rules do not fire:

no ip access-list extended ACL-INFRASTRUCTURE-IN
ip access-list extended ACL-INFRASTRUCTURE-IN
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
 deny ip any any option any-options
 permit udp any 188.241.240.0 0.0.1.255 eq domain
 permit udp any host 8.8.8.8 eq domain
 permit udp any host 8.8.4.4 eq domain
 permit udp any host 1.1.1.1 eq domain
 permit udp any host 1.0.0.1 eq domain
 permit udp any host 1.0.0.1 eq domain
 deny udp any any eq domain
 permit ip any any
!
no ip access-list extended ACL-INFRASTRUCTURE-OUT
ip access-list extended ACL-INFRASTRUCTURE-OUT
 permit udp any 188.241.240.0 0.0.1.255 eq domain
 permit udp any host 8.8.8.8 eq domain
 permit udp any host 8.8.4.4 eq domain
 permit udp any host 1.1.1.1 eq domain
 permit udp any host 1.0.0.1 eq domain
 permit udp any host 1.0.0.1 eq domain
 deny udp any any eq domain
 permit ip any any
!

interface vlan 10
 ip access-group ACL-INFRASTRUCTURE-IN in
 ip access-group ACL-INFRASTRUCTURE-OUT out
 no ip redirects
 no ip unreachables
!
interface vlan 20
 ip access-group ACL-INFRASTRUCTURE-IN in
 ip access-group ACL-INFRASTRUCTURE-OUT out
 no ip redirects
 no ip unreachables
!

Vlan 10, 20 -> ISPs.
Traffic looks like this, where 188.241.240.0/24 is my subnet.

MHM Cisco World · ‎01-15-2024

 deny udp any any fragments

remove fragments then check
MHM