UDP Flood

Mero Cisco · ‎05-20-2013

Hi,

My router is working in a degraded mode, the cpu graphs hits to 90%. When I issue the show ip cache flow, I got the following output:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01B7 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01B0 008A 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01B1 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 C1B1 008A 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 D564 445C 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01B2 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F1B1 0089 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F1B3 008A 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01B3 008A 4

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01AC 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01AD 008A 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F57B 445C 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F1AE 008A 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F1AC 0089 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01AF 008A 6

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 F1AF 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01A8 008A 4

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01A9 008A 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 E1A9 008A 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 E1AA 008A 1

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01AA 008A 4

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01AB 008A 3

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01A4 008A 2

Fa0/1 10.10.4.3 Fa0/0 10.10.4.255 11 01A5 008A 3

Why it's behaving like this one, how to solve this problem. The subnet mask for this network is 255.255.255.0

Regards,

Mero

nkarpysh · ‎05-20-2013

Hi Mero,

The host 10.10.4.3 connected through interface Fa0/1 send broadcasts in your local network (to 10.10.4.255). Broadcasts are subject to be analyzed by CPU. Check this host and understand why it is sending those and stop that. Or at least block the host or this traffic with ACL or just shutdown the port.

Nik

HTH,
Niko

Richard Burts · ‎05-20-2013

Most of these broadcasts are on UDP 137 and 138 so it is Windows NetBIOS Name Service and NetBIOS datagram service.. Since the router will not forward these, and will not respond to these then perhaps an ACL to block them from the router interface would be an appropriate solution. I think that blocking the host or shutting down the port would be over reaction.

HTH

Rick

HTH

Rick

paolo bevilacqua · ‎05-20-2013

These are just few packets and are not the cause for high CPU. Look for that elsewhere.

Mero Cisco · ‎05-20-2013

Dear All,

Thanks for your reply. I have pasted a few data only. Hundreds of requests comes on the interface and the router gets busy on this. ACL is one idea, but why this is coming, how to troubleshoot the pc. What is causing this.

Regards

Mero

Sent from Cisco Technical Support iPhone App

paolo bevilacqua · ‎05-20-2013

Again: even hundreds of these packets are not enough to cause problems.

You do not even have mentioned which router is this and how is configured, so it's impossible to tell more.

You should look for the "troubleshooting high CPU" documents and go form there, or engage a qualified/certfied Cisco engineer for help.

Mero Cisco · ‎05-20-2013

Hi,

It's cisco 1841. When I shut the pc connected port the CPU usage lowers to 20%-30%, but when I issue no shut the CPU usage rises to 70%-90%. The netstat command on pc shows unnatural behavior. Hundreds udp packets, few established ports and many listening ports also. Windows 2007 os is installed on the pc.

Regards,

Mero

Sent from Cisco Technical Support iPhone App

paolo bevilacqua · ‎05-20-2013

Again: without seeing complete config and other output, no help is possible.

nkarpysh · ‎05-20-2013

Hi Mero,

First of all try using ACL and block this traffic temporarily on the port which you shutdown before. By this you will see if this traffic is providing most impact to CPU or there is some other traffic adding to it - so you will probably need to do some captures of traffic. As Paolo correctly mentioned right now we dont much info to elaborate.

In regards to the traffic you have shown in the very begining. As Richard said that is Windows NetBIOS Name Service and NetBIOS datagram service. Possibly this forum is not the right one to ask why Windows sends those packets. From network stend point the most logical solution - is to use ACL to block unwanted traffic.

Nik

HTH,
Niko

paolo bevilacqua · ‎05-20-2013

There is no need or benefit in using ACL to 'block' netbios broadcast packet or similar ones.

Actually it causes more processing in the router, because instead of simply dropping a packet that do not have to go anywhere, ACL logic and comparisons must be followed.

The only thing that can be done, is configuintg "no ip unreachables" under relevant interface. Colletarale effect is this breaks traceroute first line output.

Jose Jara · ‎05-20-2013

You can prevent the router from forwarding types of broadcasts with no ip forward-protocol udp. For example, for ports 137 and 138 would be:

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

Have you configured IP helper-address? with this command configured the router will automatically forward UDP broadcasts for different ports and may disable some or all with no ip forward protocol udp.