09-06-2003 06:06 PM - edited 03-09-2019 04:41 AM
I have a router that gives me exit to the Internet and since about 4 days ago when I ran the command
" sh proces " it's showing 59 % to 65 % when the norm has been 3% to 10 %.
So there is a device or several of them that are causing too much traffic due to an electronic problem or a virus or excessive use by the user. I want to know:
1. - What can I do to identify the IP or the MAC address of the device(s) that are causing this traffic?
2. - There is any kind of access-list or debug mechanism that help to identify this devices?
3. - There is an any kind of software, even if different from Cisco product tat can help me to troubleshoot this problem?
4.- By tha way, there is any way to stop or control viruses coming into the system from the router?
Thanks for any help I can have from you all
09-07-2003 09:59 AM
Hi -
You may find the following cisco advisory documents helpful:
http://www.cisco.com/en/US/products/hw/routers/ps214/prod_security_advisories_list.html
Thanks - Jay
09-08-2003 10:02 PM
Jay
Thanks, I am looking into the links.
J.P
09-09-2003 12:09 AM
do a ip accounting on the ethernet inetrefaces and look for 92 bytes and 48 bytes packets. Lots of them comming from same hosts. If this is the case you have a virus on the source ip addresses.
To block the 92 bytes you only need an ext accesslist
deny icmp any any echo
deny icmp any any echo-reply
for the 48 bytes I'm not sure but Cisco has generated a common accesslist for these viruses search the web. The problem with thius one it thends to block alot of other traffic as well.
good luck
09-15-2003 12:19 AM
Thanks for your response. This is the access-list created and it is in effect:
Access-list 120 Applied to Fast Ethernet0/0 to watch incoming traffic
Deny tcp any any eq 135 log
Deny udp any any eq 135 log
Deny tcp any any eq 137 log
Deny udp any any eq netbios-ns
Deny tcp any any eq 138 log
Deny udp any any eq netbios-dgm
Deny tcp any any eq 139 log
Deny udp any any eq netbios-ss
Deny tcp any any eq 445
Deny tcp any any eq 445
Deny tcp any any eq 4444
Deny tcp any any eq 4444
Deny icmp any any echo
Deny icmp any any echo-reply
Permit ip any any
So far it is producing some ip numbers and we are on it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide