12-29-201008:08 AM - last edited on 03-25-201905:15 PM by ciscomoderator
I have a situation where our security team is performing port scans on devices in our company which is causing our Cisco routers to have increased CPU usage. I have a couple of assumptions that I'm hoping to clarify and understanding the issue better. I say the port scans are the issue because we have corresponded the time of the scan running to the increased CPU usage (and nothing else going on at the time). Unfortunately the security team does not know how they're security tool works, but it appears to be scanning several devices at once and checking all ports. In this case we are looking at easily 20-50 devices scanning all ports and all of these sockets passing though the same router that spikes during that time. This is where my assumptions come in because I do not fully understand what is going on. What I believe is that given the number of ports being checked all at the same time could be putting strain on the router. I don’t know how to check and see how many “sessions” are going on during this time and I do not know what a normal amount of sessions would be nor how many our router is designed to handle. In reading up on how port scanners work, I gather they use the TCP connect function to check each port. I’ve done some test scans using my own port scanner to get a packet capture and study this flow further. In studying this it would appear checking a single port takes very little traffic and resources, which make me doubt my assumption. I know you guys won’t be able to tell me if this is the exact problem. I’m just wondering if I am on the right track in saying that scanning dozens of devices at a time would create too many “sessions” and strain the router.
A port scan will put additional load on a router, especially a scan that covers the entire port range in a short period of time. What a port scan does is to use TCP to probe whether the router is listening on a particular port. If the router is not listening on that port, it would have to send a RST packet back to the scan source; if it is listening, then there is even more work on the router to try to establish the TCP connection by creating a TCP socket and sending back the TCP SYN/ACK. . In either case, you'd see the router spend extra CPU cycles in the "IP Input" process when sending out these packets. With a UDP port scan, the router doesn't have to do as much work since it'd only have to send back the ip icmp port unreachables (rate limited at 500 ms by default). In any event, there is no good way to monitor the "session" rate as you described, but you can use the generic flow analysis tools such as netflow to get a rough idea of what's going on. Hope this helps.