[c-nsp] pix 535 issues
Jeff Kell
jeff-kell at utc.edu
Wed Jan 18 08:49:44 EST 2006
Ted Mittelstaedt wrote:
> virus infected system on the inside, blasting thousands of copies of
> itself to random ip numbers on the Internet, overflows the inernal translation
> table and uses up all the free ram.
We see this more often than I'd like, on a 515E (only 32Mb). Somewhere
around 28-30k connections and new connections start to generate "memory
allocation errors" in the logs, and the connection requests are ignored.
Doesn't have to be a virus. P2P will do it too, especially when setup
as a "supernode" or "ultrapeer", if you allow that. Skype has a
"supernode" mode too. The newer variants that can run in UDP mode are
especially bad.
You can watch connection counts (console, PDM, probably SNMP), or devise
some means of analyzing the connections that are active to try to find
the source[s]. Unfortunately, at least on PIX 6.3, there is no
connection throttling mechanism like more recent IOS implementations. I
don't know about 7.0.
If you use a wrapper of your choice to load the output of a "show conn"
into a perl array @session, this snippet from one of our operations crew
may help:
my $totalConnections = $session[0];
shift @session; #Remove the total Number of connections
my %ipAddress;
foreach (@session)
{
my $ip = (split(/in/, $_))[1];
$ip = (split(/:/, $ip))[0];
if (exists $ipAddress{$ip})
{
$ipAddress{$ip} = $ipAddress{$ip} + 1;
}
else
{
$ipAddress{$ip} = 1;
}
}
my $count = 0;
print "<table><tr><th>IP</th><th>Number of Connections</th></tr>";
foreach (sort {$ipAddress{$b} <=> $ipAddress{$a}} keys %ipAddress)
{
if($count > 9){exit;} #For the top 10
print "<tr><td>$_</td><td>$ipAddress{$_}</td></tr>";
$count++;
}
print "</table>";
print "Total,$totalConnections\n";
print $query->end_html;
Jeff
More information about the cisco-nsp
mailing list