MCU(9620) Web Interface Connection Issue

Publication Date:  2014-06-06 Views:  298 Downloads:  0
Issue Description
1. Web interface of MCU can not be accessed.
2. The SSH login is very slow. The character is show one by one in the ssh console.
3. No conference in place.
4. The CPU utilization is very high 100% when there is no conference.

5. The traffic of the into the MCU is low around 2.4 kbit/s.
Alarm Information
NA
Handling Process
1. sys ftp-s set ftp server,export all the MCU's log files(upgrade export) and EDR(debug export-edr-file)(export the log files)
2. Whether MCU time(dis clock) is any different from the actual time?(confirm the MCU's time and actual time whether is same or not)
3. MCU's version(dis version) and alarm(dis alarm) information.(get the MCU's version and warning information)
4. Is MCU on the internet network? when the problem had happened,what the operation have been done?(Whether MCU is on the internet? Before the issue had happened,is there any operation or test that had done?)
Root Cause
1. Through the log information, we can find the SSH illegal debarkation causes MCU to be unusual.
[User][Notice] 2014-04-28 15:34:10 main 1090265 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:14 main 1090666 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:17 main 1090763 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:20 main 1090958 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:23 main 1091086 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:25 main 1091262 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:28 main 1091375 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:31 main 1091680 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-28 15:34:34 main 1091753 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.

2. The SSH attack has continued (The following is the log information about 9:00 o'clock).

[User][Notice] 2014-04-27 21:00:15 main 2951751 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-27 21:00:23 main 2952107 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-27 21:00:29 main 2952348 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-27 21:00:35 main 2952734 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
[User][Notice] 2014-04-27 21:00:49 main 2953489 Null [EXPARA:14<CPUID=0x1000>]string:SSH:User name:root log on fail.
3. After the SSH attacks reach a certain extent,it will cause the MCU memory to exhaust, the upper procedure assigns the memory failure unceasingly,then the procedure is at the abnormal state. Therefore it will have the CPU 100% situations.
4. So the root cause of the 100% CPU utilization is the SSH attack.
Suggestions
1. In view of the SSH connection attack, we can filter the TCP port number 22(Because the ssh login port is 22) on the switchboard which connect with MCU.
2. Update to the new software version(HUAWEI VP9610 V100R002C02B020SP05) and avoid the issue occurring again.

END