[nsp] AS5300 loosing memory

Jason Houx coldiso at houx.org
Fri Aug 22 15:50:23 EDT 2003


We created an acl like this {see below} and applied it to every one of our
AS5248's - our AS5350, AS5400, and AS5396 did not seem to have near the
problem that the AS5248's had.  The added overhead on the cpu has not been
horrible as we do have the rest of the world blocked for the most part at
the core with all this crap.  We used a perl script to deploy this
{in,out} on the Ethernet0 interface as that is always the same on these 
units.  Since doing this we have not had near as many phone calls to our 
call center of 0.0.0.0 host request disconnect, busy signals, or the 
lovely %SYS-2-MALLOCFAIL: Memory allocation on the Dial servers.

We had to go to this measure because after locking down the borders the 
massive amount of infected users on our network were trashing our legacy 
dial gear {AS5248's}.  What a month it has been. {sigh}

ethernet0
ip access-group in
ip access-group out

access-list 199 permit ip host $monitoring_software any
access-list 199 permit ip any host $monitoring_software
access-list 199 permit ip $noc_neblock $noc_inverse-subnet any
access-list 199 permit ip any $noc_netblock $noc_inverse-subnet
access-list 199 deny   icmp any any
access-list 199 deny   udp any any eq 135
access-list 199 deny   tcp any any eq 135
access-list 199 deny   udp any any eq 707
access-list 199 deny   tcp any any eq 707
access-list 199 deny   udp any any eq 445
access-list 199 deny   tcp any any eq 445
access-list 199 deny   tcp any any eq 593
access-list 199 deny   tcp any any eq 4444
access-list 199 deny   udp any any eq 137 
access-list 199 deny   tcp any any eq 137 
access-list 199 deny   udp any any eq 139 
access-list 199 deny   tcp any any eq 139 
access-list 199 deny   icmp any any
access-list 199 permit ip any any  


------------------------------------------------------------
    (_ )     Jason Houx, CCNA <coldiso at houx.org>
 \\\'',) ^   Com.net Inc.
   \/  \(    Bright.net Network Operations
   .\._/_)
   OpenBSD   Unix - live free or DIE!
------------------------------------------------------------


On Fri, 22 Aug 2003, Security wrote:

> We had similar problems and is due to the recent virus. We block all
> necessary ports and in some cases in ordrer to save our network we block
> ICMPs. We block ICMP to sides where we did not have powerfull routers to
> handle all the ICMP traffic. 
> 
> >Just to add to this - We too { AS7106 } started seeing the same issue
> >today and had been blocking the previous problems at the core.  Our 
> >AS5248's and AS5300 had been having the problem all day.  We just updated 
> >our core for the Nachi Worm and this looks to have slowed down the pace. 
> >We do have a TAC case open on this.  It will be interesting to see what 
> >they have to say ;-)  -  Anyone interested in me updating the list with 
> >TAC findings?  
> >
> >------------------------------------------------------------
> >    (_ )     Jason Houx, CCNA <coldiso at houx.org>
> > \\\'',) ^   Com.net Inc.
> >   \/  \(    Bright.net Network Operations
> >   .\._/_)
> >   OpenBSD   Unix - live free or DIE!
> >------------------------------------------------------------
> >
> >
> >On Wed, 20 Aug 2003, Siva Valliappan wrote:
> >
> >> there are newer documents on CCO to combat the below worms.  you can
> find
> >> them on:
> >> 
> >> http://www.cisco.com/warp/public/707/advisory.html
> >> 
> >> cheers
> >> .siva
> >> 
> >> On Wed, 20 Aug 2003, Siva Valliappan wrote:
> >> 
> >> > Hi Jay,
> >> >
> >> >    you end users might be infected with blaster or some variant
> (sobig,
> >> > nachi, etc).  it sounds like you are fast-switching on those routers
> >> > and they are consuming all the available memory in building cache
> >> > tables.
> >> >
> >> > check the below url out on how to deal with such types of worms.
> >> >
> >> > http://www.cisco.com/warp/customer/63/ts_codred_worm.shtml
> >> >
> >> > cheers
> >> > .siva
> >> >
> >> > On Wed, 20 Aug 2003, Jay Nakamura wrote:
> >> >
> >> > >
> >> > > We have suddenly having issues with our as5300s.  We were running
> >> > > 12.2(15)T5, I noticed gradual memory leak over days but one day free
> memory
> >> > > just dropped and most of our 5300s started crashing.  Reboot helped
> for
> >> > > couple hours but it started using up memory again.  I switched over
> to
> >> > > 12.2(17a) but that hasn't solved the problem.
> >> > >
> >> > > If I do "sh proc mem", it seems that "IP Input" is hogging the RAM. 
> If I do
> >> > > "clear ip route *", the free memory will increase to normal level
> but it
> >> > > will again keep dropping.
> >> > >
> >> > > I am unsure as to the cause of the problem.  Any suggestions on what
> to look
> >> > > for or what I can do?
> >> > >
> >> > > --
> >> > >
> >> > > -- J.S. Nakamura --                 Phone  (812)337-5070 x213
> >> > > -- Kiva Networking --               Fax    (812)337-5082
> >> > >                                     email  jnakamur at kiva.net
> >> > >
> >> > >
> >> > > _______________________________________________
> >> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> > >
> >> >
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> 
> >
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _____________________________
> CYTANET WebMail
> http://webmail.cytanet.com.cy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list