[nsp] Router running out of memory

Krzysztof Adamski k at adamski.org
Tue Jul 6 23:24:05 EDT 2004 

No NAT on the router, the worm is scanning for port 135, I can't block
that since they are using it.

K

On Tue, 6 Jul 2004, Church, Chuck wrote:

> I assume you're doing NAT, right?  It's most likely the NAT pool is
> growing huge and sucking up all the memory.  Do a 'sh ip nat tra' and by
> looking at the destination ports, you should be able to tell the port(s)
> this virus is trying to hit.  If it's a port they'd never need to access
> over the internet, block it with an ACL.  Good chance it's either ICMP
> echo, or a netbios port.  HTH.
>
> P.S.  Either 12.2 or 12.2T (can't remember which) will support CEF on
> 2600 dot1q subints.
>
>
> Chuck Church
> Wam!Net Government Services - D&I Team
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Office: 864-335-9473
> Cell: 703-819-3495
> cchurch at wamnetgov.com
> PGP key:
> http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
> com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Krzysztof
> Adamski
> Sent: Thursday, December 02, 1999 4:11 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Router running out of memory
>
> I'm maintaining a network for a customer, it is hub and spoke design,
> the spoke links are 802.1q VLANs to the hub, no VPN.
> The hub router is a 2621 with 64MB of memory.
> The customer has few hundred PCs at different sites, now they are
> infected with something that is scanning the world for more machines to
> infect.
>
> The hub router is running out of processor memory, withing about 10
> minutes after reboot it has:
>                 Head    Total(b)     Used(b)     Free(b)   Lowest(b)
> Largest(b)
> Processor   81669824    31025116    28080224     2944892       79752
> 50052
>       I/O    3400000    12582912     1981184    10601728    10571664
> 10573980
>
> If I try to enable CEF I get:
> %DCEF not supported with 802.1q encapsulation on subinterface %CEF not
> supported with 802.1q encapsulation on subinterface
>
> Is there anything that can be done to prevent this? Would a bigger
> router be better?
>
> K
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list