- 论坛徽章:
- 0
|
如何处理CISCO路由器CPU利用率高的问题。。急。。。
怀疑中了冲击波病毒,可使用如下方式检查
Detection
Using IOS with NetFlow Enabled to Detect Infected Hosts
NetFlow can be a powerful tool to help identify infected hosts. NetFlow must be enabled on an interface with the command IP route-cache flow. The following example shows infected hosts scanning IP address space by using ICMP type 8 packets.
Router>;show ip cache flow | include 0000 0800
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.119 01 0000 0800 1
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.169 01 0000 0800 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.63 01 0000 0800 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.111 01 0000 0800 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.95 01 0000 0800 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.79 01 0000 0800 1
Using CatOS with Sup2 and MLS to Detect Infected Hosts
MLS statistics can help track down infected hosts. NetFlow should be enabled in full flow to see source and destination ports, as in the following example, which shows traffic sourced from infected hosts attempting to detect potential target systems through ICMP.
Router>;(enable)set mls flow full
Router>;show mls statistics entry protocol icmp
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
---------------- --------------- ----- ------ ------ --------- -----------
XX.XX.XX.28 XX.XX.XX.10 ICMP 0 0 0 0
XX.XX.XX.58 XX.XX.XX.28 ICMP 0 0 0 0
XX.XX.XX.141 XX.XX.XX.223 ICMP 0 0 0 0
XX.XX.XX.189 XX.XX.XX.1 ICMP 0 0 0 0
XX.XX.XX.12 XX.XX.XX.19 ICMP 0 0 0 0
XX.XX.XX.245 XX.XX.XX.137 ICMP 0 0 0 0
XX.XX.XX.29 XX.XX.XX.22 ICMP 0 0
如是加ACL把ICMP禁掉。
access-list 115 permit icmp any any echo
access-list 115 permit icmp any any echo-reply
access-list 115 permit ip any any
interface <interface>;
ip access-group 115 in
ip access-group 115 out
或
The worm will attempt to send packets to random IP addresses, some of which may not exist. When that occurs, the router will reply with an ICMP unreachable packet. In some cases, replying to a large number of requests with invalid IP addresses may result in degradation of the router's performance. To prevent that from occurring, use the following command:
Router(config)# interface <interface>;
Router(if-config)# no ip unreachables |
|