NE40E-X3 SOCKSPMT task caused CPU utilization increased

Created Mar 17, 2016 20:00:25Latest reply Mar 18, 2016 10:57:31 2101 1 0 0
Version: NE40E&80E V600R001C00SPC800
Patch: V600R001C00SPC029
Equipment alarm of  CPU Utilization over threshold and log is as follows: 
   
Oct 22 2013 01:19:03 TRICHY-NE40E-PE-A %%01SRM/4/CPUMEMALARM(l)[646078]:Slot=1;Board 1 CPU usage is Upper than threshold.

Oct 22 2013 01:19:03 TRICHY-NE40E-PE-A %%01VOSCPU/4/CPU_USAGE_HIGH(l)[646079]:Slot=1;The CPU is overloaded, and the tasks with top three CPU occupancy are VIDL, SOCK, SPMT. (CpuUsage=86%, Threshold=80%)
  • x
  • convention:

Osaideo     Created Mar 18, 2016 10:57:31 Helpful(0) Helpful(0)

Handling Process


We got information by display command of attack resource

1.Equipment was attack during 2013 -10 -22 01:06 44. To 2013 -10 -22 01:34 11
       2.Protocol number is 17 (UDP)
       3.It is a DHCP attack (DHCP protocol use UDP port number 67 as destination port of a   

   Server and UDP port number 68 is used by the client)
       4.Source IP is 0.0.0.0 and Destination IP is 255.255.255.255
       5.Source MAC is 00-e0-fc-00-00-11
Attack-resource information is following:



<TRICHY-NE40E-PE-A>display attack-source-trace slot all brief

Info: Please waiting............

No 1 Packet Info:

Interface Name : GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num : 17

Attack Pack Time : 2013-10-22 01:34:11


Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b eb 54 00 00 ff 11 cf 2d 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 66 0d

01 01 06 00 00 2c 25 d1 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 e0 24 7f 11 fd f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------



No 3845 Packet Info:

Interface Name: GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num: 17

Attack Pack Time : 2013-10-22 01:06:44


Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b 96 cc 00 00 ff 11 23 b6 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 88 65

01 01 06 00 7b b8 91 60 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 28 6e d4 38 54 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------




Root Cause



DHCP Request attack caused CPU utilization increased.
Solution



DHCP Request attack caused CPU utilization increased. User can find out attack host according to source MAC to solve the problem. NE40E software version V6R1 or later provide ***ysis method aimed to abnormal CPU utilization.
For interface board, we can check the time of high CPU utilization by command attack-source-trace.
For CPU board, log provide information we need and check which task occupied most of CPU resource.


Suggestions

We should be familiar with meaning of common task. Common task include FIB, ROUT, PES  and MACL except for SOCK and SMPT.

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top