[c-nsp] PIX-virus-DoS-connection problem
Marcelo Maraboli
marcelo.maraboli at usm.cl
Thu Nov 11 11:01:46 EST 2004
Hello Admins
We have 2 525 PIX in failover mode with an unexpected behavior.
Yesterday, a virus/worm (probably a Kazaa worm) infected one of
our PC ans started to generate 48 IP spoofed packets per second to
a list of destinations (I suppose other Kazaa members).
Since our PIX is configured to drop Spoofed IP packets on the
Inside and Outside interfaces, the CPU went up to 92% and the
number of "active connections" was increasing at a linear rate.
Even though this traffic did not reach the border router, these
packets were indeed dropped by the PIX, but the number of connections
and CPU were NOT NORMAL.
After we unpluged the infected PC, the PIX CPU went back to
normal, but the number of active connections (reported by SNMP)
still was rising. I waited more than 1 hour (default idle connection
timeout) and still nothing...
I have this graphed at:
http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm
we are using PIX version 6.2(2). Using PDM I graphed the CPU
and number of connections at:
http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg
Is this a PIX malfunction and does not reset the SNMP
connections counters ?? (since the PDM graph differs)
anyone else experienced this ?
thanks,
--
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico (Electronic Engineer)
Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl http://elqui.dcsc.utfsm.cl/
More information about the cisco-nsp
mailing list