No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40 CPU Usage Increases because of SSH Attack

Publication Date:  2012-07-27 Views:  45 Downloads:  0
Issue Description
#display cpu
CPU Performance:                                                                
           0 seconds ago ||===                 ||  18%                          
          30 seconds ago ||===                 ||  16%                          
          60 seconds ago ||===                 ||  16%                          
          90 seconds ago ||==                  ||  14%                          
         120 seconds ago ||==                  ||  14%                          
         150 seconds ago ||==                  ||  14%                          
         180 seconds ago ||==                  ||  13%                          
         210 seconds ago ||==                  ||  13%                          
         240 seconds ago ||==                  ||  14%                          
         270 seconds ago ||==                  ||  13%                          
         300 seconds ago ||=======             ||  36%                          
         330 seconds ago ||==================  ||  94%                          
         360 seconds ago ||=================== ||  96%                          
         390 seconds ago ||=================== ||  95%                          
         420 seconds ago ||=================== ||  96%                          
         450 seconds ago ||=================== ||  95%                          
         480 seconds ago ||=================== ||  97%                          
         510 seconds ago ||====                ||  24%                          
         540 seconds ago ||===                 ||  18%                          
Alarm Information
Current FSM is : SSH_Main_VersionMatch                                          
%Sep 14 03:49:37 2006 NE40-A-ZZ1 SSH/5/fsm_move:FSM MOVE FROM SSH_Main_VersionMa
tch TO SSH_Main_Disconnect                                                      
%Sep 14 03:49:37 2006 NE40-A-ZZ1 SSH/5/ver_major_err:Protocol major versions dif
fer: 1 vs. 2                                                                    
%Sep 14 03:49:37 2006 NE40-A-ZZ1 SSH/5/err_dissconnect:The connection is closed 
by SSH Server                                                                   
Current FSM is : SSH_Main_VersionMatch                                          
%Sep 14 03:49:37 2006 NE40-A-ZZ1 SSH/5/fsm_move:FSM MOVE FROM SSH_Main_VersionMa
tch TO SSH_Main_Disconnect                                                      
%Sep 14 04:15:50 2006 NE40-A-ZZ1 SSH/5/fsm_move:FSM MOVE FROM SSH_Main_Connect T
O SSH_Main_VersionMatch                                                         
%Sep 14 04:15:50 2006 NE40-A-ZZ1 SSH/5/ver_major_err:Protocol major versions dif
fer: 1 vs. 2                                                                    
%Sep 14 04:15:50 2006 NE40-A-ZZ1 SSH/5/err_dissconnect:The connection is closed 
by SSH Server                      
Handling Process
Add the following configuration for vty users:
user-interface vty 0 4
 protocol inbound telnet
 protocol inbound telnet command (the command means it configures supporting protocol of users' interface. It only accepts telnet users, not SSH users.). ANd then there is no alarm.
Root Cause
During SSH session, the server and the client set up safety channel through the following five periods:
(1) version negotiation
(2) cipher key negotiation
(3) authentication negotiation
(4) session request
(5)  interacted session
NE40 only supports SSH 1.5. SSH version of attacked SSH client is different form that of NE40. Many clients use SSH 2.0. There is alarm of SSH version mismatch and it does not influence the service. But CPU usage increases.
Suggestions
Null

END