No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Network viruses cause high CPU usage, slow Telnet operation, and high loss ratio of ping packets on the S8016

Publication Date:  2012-07-27 Views:  59 Downloads:  0
Issue Description
 Version: <S8016>dis version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 3.10, RELEASE 2358
Copyright (C) 1997-2003 HUAWEI TECH CO., LTD.

Networking: User----Access Switch----S8016----Router
Fault phenomenon: The user connected to the S8016 can get online but it is slow to make a Telnet connection to the S8016 and a lot of ping packets sent to the S8016 are discarded. 

 
Alarm Information
 %Jul 16 02:50:22 2009 S8016 PROXY/5/toomanyfibmiss:
Source 61.176.194.117 has too many (3021) FIBMISS at slot 3 in last 1 minute.

%Jul 16 03:18:25 2009 S8016 PROXY/5/toomanyfibmiss: Source 218.60.132.156 has too many (7423) FIBMISS at slot 3 in last 1 minute.

%Jul 16 03:31:50 2009 S8016 PROXY/5/toomanyfibmiss:
Source 190.74.200.81 has too many (493) FIBMISS at slot 3 in last 1 minute.

%Jul 16 04:19:03 2009 S8016 PROXY/5/toomanyfibmiss:
Source 218.60.132.156 has too many (7450) FIBMISS at slot 3 in last 1 minute.

%Jul 16 05:19:40 2009 S8016 PROXY/5/toomanyfibmiss:
Source 218.60.132.156 has too many (7435) FIBMISS at slot 3 in last 1 minute.

%Jul 16 05:53:33 2009 S8016 PROXY/5/toomanyfibmiss:
Source 222.63.55.253 has too many (66) FIBMISS at slot 3 in last 1 minute. 

 
Handling Process
 1. Log in to the S8016 through the console interface and you can find that the CPU usage is 70%.
2. Check the logs of the S8016 and you can find that the S8016 displays FIB miss alarms.
3. Analyzing logs, you can find that FIB miss alarms occur in slot 3. Then, check the bucket in slot 3 and you can find that a lost of packets are discarded in bucket 3.
4. Decrease the traffic rate from 32K to 8K. The fault persists.
5. It is doubted that the S8016 is being attacked on the network. Then, use the Ethereal tool to capture packets. Because there is a large amount of traffic, the packets are captured in the firstly transmitted flows and they are normal HTTP traffic. Then, search the traffic and you can find that there is virus traffic on port 5554.
6. Configure EACLs to filter out common virus traffic on the upstream interfaces.
7. After the EACLs are applied, the CPU usage is greatly reduced and the Telnet services are normal. 

 
Root Cause
 FIB Miss Message,use it to form host route entry(This message is often displayed when the network segment is scanned, which triggers the sending of ARP request.)
ARP request can be triggered in any of the following situations:
1. The destination address is on the network segment where the directly connected interface resides; the interface cannot find a host route for the data packets due to lack of ARP entries but finds a route to the network segment where the directly connected interface resides, which causes FIB miss and then triggers the learning of ARP entries of the directly connected host or device.
2. The destination address is on the network segment where the indirectly connected interface resides; the interface finds the route to the destination network segment but the outbound interface is invalid (the outbound interface in the FIB table is a VLAN but not a port), which causes FIB miss. 

 
Suggestions
 When the CPU usage is high, it indicates that the CPU is frequently occupied. In this case, you need to find out what processes are occupying the CPU and what packets are sent to the CPU, and then take measures to filter out attack packets such as virus packets. Then, you can remove the attack source. 

 

END