high CPU processes router 3600

[droguer03]

i have a high use of CPU on my router cisco 3620, i think my problem is a virus, because when i write a sh ip accounting the results are a lot of packets of 78 bytes each one from a specific ip address.

example:
7.7.5.19 167.170.46.221 1 78
7.7.5.19 167.170.46.220 1 78
7.7.5.19 167.170.46.223 1 78
7.7.5.19 167.170.46.222 1 78
7.7.5.19 167.170.46.217 1 78
7.7.5.19 167.170.46.216 1 78
7.7.5.19 167.170.46.219 1 78
7.7.5.19 167.170.46.218 1 78
7.7.5.110 202.122.253.215 1 78
7.7.5.182 170.162.127.54 1 78
7.7.5.182 170.162.127.55 1 78
7.7.5.110 202.122.253.222 1 78
7.7.5.182 170.162.127.60 1 78
7.7.5.110 202.122.253.223 1 78
7.7.5.182 170.162.127.61 1 78

if someone know something about it i'll appreciate any help

 

[tschouten]

Could be a virus, could be an attack. It could even be a bad ethernet card chattering away. I would say run a sweep on your end user machines (if you have antivirus programs on them). And try to log your traffic to get a clearer picture of what is happening.

 

[routerman]

In cases like this I've used Netflow to get a better idea of the traffic profile, it shows the source and destination IP addresses and ports, so can aid the creation of a filter.
You'll need to use IP CEF as well if your IOS supports it.

 

[tschouten]

I have never thought of doing that?!?!?!?!?!!!!

Damn, why can't I think up the cool s!@#!!

 

[routerman]

Tschouten, Id rather look at the problem from the routers perspective, I understand that bit.
Its the PC's and the servers that I dont understand, all those differnet OS's and applications!!!

We used this to track the recent blaster problems on some of my customer sites, then apply filters to limit damage whilst the PC's were virus checked etc.

 

[dconstantino]

I will tell you this if you do not scan the network and clean up welchia you will hose up the CPU on your core and be down. Welchia infects a PC on the network and then spoofs the IP it is coming from so it is a bitch to try to hunt down the culprit. Even if you run the MS patch on all your PC's it does not mean your clean. Any PC that has the virus before the virus was cleaned still has it. You have to run the Welchia fix patch before the hotfix from MS.

What we have done is to add a couple of line in the users login scripts to run the fix then the patch and a Text file telling them DO NOT cancel this process and that their computer will re-boot at the end. If some people do not turn off their PC at night you can force that through SMS or Altirus.

 

[tschouten]

<<<<Tschouten, Id rather look at the problem from the routers perspective, I understand that bit.
Its the PC's and the servers that I dont understand, all those differnet OS's and applications!!!

We used this to track the recent blaster problems on some of my customer sites, then apply filters to limit damage whilst the PC's were virus checked etc. >>>>>>

I completely agree with you routerman, I was just pissed I didn't think of using netflow in that manner. Well not pissed, just thinking that is a damn good idea and use of the router to supply you with what you are looking for, instead of relying on sniffers and what not.

 

[iomran]

well,I am also getting this pattern continously on my router.These packets are coming from another site at one of my wan connections.did you know what typically is this packet size related to? I found that it is directed to ports 135 and 137 most probably ?

Thanks

 

[IllegalOperation]

Troubleshooting high CPU is actually a simple process. The very first thing you need to do is run the &quot;show proc cpu&quot; command, and actually see what is the specific feature that is causing the burden. If you are running NAT, it could be your Pool Manager (especially if you have a virus) for example. Tha Nanchi virus floods your NAT entry table with ICMP logs. My one router had about 30,000 NAT entries the first day the virus came out. Anyways after you identify the process, just run a search on what causes it and how to fix it on Cisco's website.

This can help out...

http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a00800a70f2.shtml

Also iomran, you should never have ports 135 and 137 open to the public. Those two are among the easiest and potentially deadliest to attack.

 

[foxpreacher]

if just as the top man said ,i would believe that your end user's computer just have some kinds of virus ,maybe microsoft blaster,You can deny the port number,135,139,445,4444 just using the ACL.
and in addition,You can prohibit the icmp packet in your router or MLS.
Hope for help.