[nsp] Router running out of memory

Church, Chuck cchurch at wamnetgov.com
Wed Jul 7 00:05:33 EDT 2004 

So it's probably the route cache using the memory then.  Can you create
an ACL to block 135 going to unknown destinations, and allow it only to
valid subnets?  Typically these worms try scanning the whole /16 the
host is a part of.  If you can identify the actual size of the packets,
you might be able to block it with a class-map. 


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Office: 864-335-9473
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com


-----Original Message-----
From: Krzysztof Adamski [mailto:k at adamski.org] 
Sent: Thursday, December 02, 1999 4:27 AM
To: Church, Chuck
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] Router running out of memory

No NAT on the router, the worm is scanning for port 135, I can't block
that since they are using it.

K

On Tue, 6 Jul 2004, Church, Chuck wrote:

> I assume you're doing NAT, right?  It's most likely the NAT pool is 
> growing huge and sucking up all the memory.  Do a 'sh ip nat tra' and 
> by looking at the destination ports, you should be able to tell the 
> port(s) this virus is trying to hit.  If it's a port they'd never need

> to access over the internet, block it with an ACL.  Good chance it's 
> either ICMP echo, or a netbios port.  HTH.
>
> P.S.  Either 12.2 or 12.2T (can't remember which) will support CEF on 
> 2600 dot1q subints.
>
>
> Chuck Church
> Wam!Net Government Services - D&I Team Lead Design Engineer CCIE 
> #8776, MCNE, MCSE 1210 N. Parker Rd.
> Greenville, SC 29609
> Office: 864-335-9473
> Cell: 703-819-3495
> cchurch at wamnetgov.com
> PGP key:
>
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
> com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Krzysztof 
> Adamski
> Sent: Thursday, December 02, 1999 4:11 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Router running out of memory
>
> I'm maintaining a network for a customer, it is hub and spoke design, 
> the spoke links are 802.1q VLANs to the hub, no VPN.
> The hub router is a 2621 with 64MB of memory.
> The customer has few hundred PCs at different sites, now they are 
> infected with something that is scanning the world for more machines 
> to infect.
>
> The hub router is running out of processor memory, withing about 10 
> minutes after reboot it has:
>                 Head    Total(b)     Used(b)     Free(b)   Lowest(b)
> Largest(b)
> Processor   81669824    31025116    28080224     2944892       79752
> 50052
>       I/O    3400000    12582912     1981184    10601728    10571664
> 10573980
>
> If I try to enable CEF I get:
> %DCEF not supported with 802.1q encapsulation on subinterface %CEF not

> supported with 802.1q encapsulation on subinterface
>
> Is there anything that can be done to prevent this? Would a bigger 
> router be better?
>
> K
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list