[c-nsp] PIX-virus-DoS-connection problem

Cheung, Rick Rick.Cheung at nextelpartners.com
Thu Nov 11 12:34:33 EST 2004


	Do you have TurboACL configured for the anti-spoof ACLs you
mentioned?

	That should help cap CPU consumption. 



Rick Cheung

-----Original Message-----
From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl]
Sent: Thursday, November 11, 2004 11:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX-virus-DoS-connection problem


Hello Admins

We have 2 525 PIX in failover mode with an unexpected behavior.

Yesterday, a virus/worm (probably a Kazaa worm) infected one of
our PC ans started to generate 48 IP spoofed packets per second to
a list of destinations (I suppose other Kazaa members).

Since our PIX is configured to drop Spoofed IP packets on the
Inside and Outside interfaces, the CPU went up to 92% and the
number of "active connections" was increasing at a linear rate.

Even though this traffic did not reach the border router, these
packets were indeed dropped by the PIX, but the number of connections
and CPU were NOT NORMAL.

After we unpluged the infected PC, the PIX CPU went back to
normal, but the number of active connections (reported by SNMP)
still was rising. I waited more than 1 hour (default idle connection
timeout) and still nothing...

I have this graphed at:
http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm

we are using PIX version 6.2(2). Using PDM I graphed the CPU
and number of connections at:

http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg

Is this a PIX malfunction and does not reset the SNMP
connections counters ?? (since the PDM graph differs)

anyone else experienced this ?

thanks,
-- 
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico                     (Electronic Engineer)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl	http://elqui.dcsc.utfsm.cl/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


This message, including any attachments, contains confidential information intended for a specific
individual and purpose and is protected by law. If you are not the intended recipient, please contact
sender immediately by reply e-mail and destroy all copies. 
You are hereby notified that any disclosure, copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email
and any attachments for the presence of viruses. The sender accepts no liability for any damage 
caused by any virus transmitted by this email. E-mail transmission cannot be guaranteed 
to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors 
or omissions in the contents of this message, which arise as a result of e-mail transmission.


More information about the cisco-nsp mailing list