Re: I think i'm being attcked. What can I do?

gboyce · ‎09-17-2020

I have been having trouble all day with customer VPNs dropping and general internet frustrations. We are a small ISP. When I monitor the port between the switch and the router with wireshark I see a bunch time-to-live exceeded (time-to-live-exceeded in transit). from the switch ip to a public IP outside of our network. When I look at the packet info I see the source is one of the public IPs for a customer and the destination is the public IP outside my network or visa verse. If I go into the cli for my c9300 and try to ping its management address, one time I will get 100% response and the next time I will get 40% response. My switch cpu load is 4% and I have 5135908kb out of 7757604 memory free. I have one public subnet that is going through this switch but not being routed through it and that subnet works fine.

Does anyone have any idea whats happening?

balaji.bandi · ‎09-17-2020

If the switch is exposed to Public IP, the switch is Switch does not have any capabilities like FW, but you can do ACL,

still, we have limited information, show us HLD diagram of your network. where do you think the attack took place?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎09-17-2020

Hello,

not sure if this is an attack, it sounds more like a routing loop somewhere. What is the output of the traceroute ?

'Time-to-live-exceeded in transit' means that the IP packets have gone across too many router hops. Each router decrements the TTL field, and when it reaches 0, the last router drops the packet and responds with an ICMP packet with a TTL exceeded error code.