No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

High CPU Usage on a Service Board of NE40E Because of TCP Attacks

Publication Date:  2013-10-26 Views:  85 Downloads:  0
Issue Description

Version: NE40E&80E V300R002C06B325

Users on an NE40E had low E-Line service access speed. The delay of pinging the gateway from NE40E was large.

The CPU usage of the service board in slot 1 on NE40E reached 93%. The top two tasks that had high CPU usage were VPR and COCK. 
Handling Process

Ran the efu qos cp-car cnt_show 1  clear command in diagnosis mode to query the packets discarded by the CP CAR.

Excp ID :              Green :             Yellow :                Red
9 P :               0x00000899c       0x00053e         0x000052a6
   B:                0x0001d08c8       0x011b4c         0x00116f90

A large number of packets with Excp_ID being 9 were discarded. According to the Excp_ID mapping table, packets with Excp_ID being 9 were IPV4_TCP packets. Therefore, it was concluded that TCP attacks caused the high CPU usage of the service board.
Root Cause
TCP attack
Solution

Configure a policy for the CP-CAR to deny IPV4_TCP packets and permit FTP packets.

acl number 3200--------Permit FTP packets and deny IPV4_TCP packets
 rule 5 permit tcp source-port eq ftp-data
 rule 10 permit tcp destination-port eq ftp-data
 rule 15 deny tcp
#
traffic classifier acl3200 operator or
 if-match acl 3200
traffic behavior acl3200
#
traffic policy acl3200
 classifier acl3200 behavior acl3200
#
cpcar slot 1 ipv4-tcp----Apply the policy
  traffic-policy acl3200

After the policy was applied, the CPU usage of the service board decreased to 15% and services became normal.
Suggestions

High CPU usage on a service board is often caused by attacks. It is recommended to change CP-CAR to protect the CPU.

Run the efu qos cp-car cnt_show 1  clear command to identify the attack.

END