USG3030 due to internal server infected virus leads to the equipment CPU utilization rate reaches to 100%.

Publication Date:  2012-11-16 Views:  297 Downloads:  0
Issue Description
USG3030 located in IDC equipment room, connected many sets of business server (they are all public IP). The external network accessing server has been normal before. Recently discovered the network user accesses server slowly, through the checking found USG3030 CPU nearly reaches to 100%.
Alarm Information
Handling Process
1, through login equipment, found CPU utilization rate is 100%, in hidden mode, see the IPFF utilization rate is 96%, we concluded that the equipment forwarding data consumed equipment performance;
2, View the session table, found there are lots of http sessions which connected with a server’s 10888 port of the internal network in external network, doubt it has network attack, but through confirmed with the customer, this is the server's a business port, it is normal to have a large number of connections. And after turned off the server, the CPU utilization rate is still not dropped, eliminate the possibility that port 10888 has network attack;
3, through capture packets in the firewall interface, found a large number of UDP messages; a server of internal network and an IP of public network send UDP messages to each other. Confirming with the customer, the connected server port is not business port, and the server uses the same port 9999 connect the external IP;
4, shut down the server, found that the CPU utilization rate immediately dropped down, after a period of observation, CPU basic maintained at 10%;
5, then checking the server again, found it inspected network virus, thus determined that the problem is caused by the internal server inspected virus which resulted in a large number of non connections, consumed equipment performance, lead to CPU utilization rate reaches to100%;
Root Cause
Because the internal network server inspected virus, it will send lots of UDP connections to an IP of the external network IP, consumed lot of the equipment’s resources, leading to CPU utilization rate is very high, equipment forwarding performance is greatly reduced.
The utilization rate of equipment CPU is high, generally can through checking the utilization rate of what process is high in hidden mode, and then further targeted check problem.