A net-bar uses AR46-40 as the egress interface at uplink, but the attached users access network very slowly, at which point, CPU utilization of AR46-40 is very high. Packets are discarded when users in net-bar ping to the address of public network. The number of resource error at uplink port of AR46-40 increases, and the traffic reaches 20Mbps at most, with 30 thousand packets at per second; the traffic at downlink port is very little. The problem occurs irregularly, from one minute through ten around.
Error packets occur to uplink port:
[hainayule-hidecmd]dis int eth 0/0/0
Ethernet0/0/0 current state :UP
Line protocol current state :UP
Description : Ethernet0/0/0 Interface
The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 58.X.X.14/30
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc6a-b155
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s-speed mode, Full-duplex mode, link type is force link
Output flow-control is unsupported, input flow-control is unsupported
Output queue : (Urgent queuing : Size/Length/Discards) 0/50/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Last 300 seconds input: 2016485.37 bytes/sec, 16131883 bits/sec, 30885.49 p
Last 300 seconds output: 1871415.87 bytes/sec, 14971327 bits/sec, 30905.78
Input: 180041481 packets, 3356183753 bytes
3368 broadcasts, 0 multicasts
3146 errors, 0 runts, 0 giants, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 3146 Resource errors
0 other errors
Output:187402350 packets, 3582816128 bytes
0 errors, 0 late collisions,
0 underruns, 0 retransmit limits
According to packets captured, the problem is resulted from TCP SYN FLOOD attack. At the uplink of router, add one firewall which is configured with setting to protect against DDOS attack. To lower the influence on network, the firewall is connected in transparent mode. The problem is solved then.
The problem is caused by TCP SYN FLOOD. When it occurs, AR46-40 echoes to 30 thousand TCP SYN requests every second, and each SYN request packet for connection will be collected from IP layer and reported to TCP layer for processing, and each TCP handshaking will not finish. Therefore, CPU utilization surges to very high quickly. If the attack persists for a little time, and TCP connecting resource is not exhausted, services will not fail, and it behaves like that users access network very slowly. If the problem persists for a long time, TCP connecting resources will be exhausted, failing the services.
TCP SYN FLOOD is a common attack to network, and it makes a use of the principle that TCP connection needs three times of handshaking to fabricate source address as to create a great deal of SYN packets; in a short time, the packets will consume the memory of a specific equipment, CPU or other resources. Such an attack will leave a large amount of session connections on HTTP or FTP server at a network, preventing legal users from accessing to relevant resources.
The source address and source port of TCP SYN FLOOD attack are changing consistently, so only adding professional anti-virus and anti-attack network elements such as firewall to network could guard against attacks. However, there are various network viruses and attacks, and they are changing fast. Net-bar services are opt to be attacked, so it is suggested to configure the setting against viruses and attacks at equipment at access layer, ensuring the safety of services.