No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E-X3 SOCKSPMT task caused CPU utilization increased

Publication Date:  2015-01-09 Views:  65 Downloads:  0
Issue Description

Version: NE40E&80E V600R001C00SPC800
Patch: V600R001C00SPC029
Equipment alarm of  CPU Utilization over threshold and log is as follows:

 

   

Oct 22 2013 01:19:03 TRICHY-NE40E-PE-A %%01SRM/4/CPUMEMALARM(l)[646078]:Slot=1;Board 1 CPU usage is Upper than threshold.

Oct 22 2013 01:19:03 TRICHY-NE40E-PE-A %%01VOSCPU/4/CPU_USAGE_HIGH(l)[646079]:Slot=1;The CPU is overloaded, and the tasks with top three CPU occupancy are VIDL, SOCK, SPMT. (CpuUsage=86%, Threshold=80%)

 

Handling Process


We got information by display command of attack resource

1.Equipment was attack during 2013 -10 -22 01:06 44. To 2013 -10 -22 01:34 11
       2.Protocol number is 17 (UDP)
       3.It is a DHCP attack (DHCP protocol use UDP port number 67 as destination port of a   

   Server and UDP port number 68 is used by the client)
       4.Source IP is 0.0.0.0 and Destination IP is 255.255.255.255
       5.Source MAC is 00-e0-fc-00-00-11
Attack-resource information is following:

 

<TRICHY-NE40E-PE-A>display attack-source-trace slot all brief

Info: Please waiting............

No 1 Packet Info:

Interface Name : GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num : 17

Attack Pack Time : 2013-10-22 01:34:11

Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b eb 54 00 00 ff 11 cf 2d 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 66 0d

01 01 06 00 00 2c 25 d1 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 e0 24 7f 11 fd f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------

No 3845 Packet Info:

Interface Name: GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num: 17

Attack Pack Time : 2013-10-22 01:06:44

Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b 96 cc 00 00 ff 11 23 b6 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 88 65

01 01 06 00 7b b8 91 60 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 28 6e d4 38 54 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------



Root Cause

 

DHCP Request attack caused CPU utilization increased.

Solution

 

DHCP Request attack caused CPU utilization increased. User can find out attack host according to source MAC to solve the problem. NE40E software version V6R1 or later provide analysis method aimed to abnormal CPU utilization.
For interface board, we can check the time of high CPU utilization by command attack-source-trace.
For CPU board, log provide information we need and check which task occupied most of CPU resource.


Suggestions
We should be familiar with meaning of common task. Common task include FIB, ROUT, PES  and MACL except for SOCK and SMPT.

END