NE40E-X3 SOCKSPMT task caused CPU utilization increased

Handling Process


We got information by display command of attack resource

1.Equipment was attack during 2013 -10 -22 01:06 44. To 2013 -10 -22 01:34 11
       2.Protocol number is 17 (UDP)
       3.It is a DHCP attack (DHCP protocol use UDP port number 67 as destination port of a   

   Server and UDP port number 68 is used by the client)
       4.Source IP is 0.0.0.0 and Destination IP is 255.255.255.255
       5.Source MAC is 00-e0-fc-00-00-11
Attack-resource information is following:



<TRICHY-NE40E-PE-A>display attack-source-trace slot all brief

Info: Please waiting............

No 1 Packet Info:

Interface Name : GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num : 17

Attack Pack Time : 2013-10-21 17:34


Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b eb 54 00 00 ff 11 cf 2d 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 66 0d

01 01 06 00 00 2c 25 d1 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 e0 24 7f 11 fd f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------

…

No 3845 Packet Info:

Interface Name: GigabitEthernet1/1/11

PeVlanid: 1104

CeVlanid: 1097

Attack Type: Application apperceive

Source Ip: 0.0.0.0

Dest Ip: 255.255.255.255

Source Port: 68

Dest Port: 67

Protocol Num: 17

Attack Pack Time : 2013-10-21 17:34


Attack Trace Data:

28 6e d4 f0 b3 50 00 e0 fc 00 00 11 81 00 04 50 81 00 04 49 08 00 45 00 01

6b 96 cc 00 00 ff 11 23 b6 00 00 00 00 ff ff ff ff 00 44 00 43 01 57 88 65

01 01 06 00 7b b8 91 60 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 28 6e d4 38 54 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------




Root Cause



DHCP Request attack caused CPU utilization increased.
Solution



DHCP Request attack caused CPU utilization increased. User can find out attack host according to source MAC to solve the problem. NE40E software version V6R1 or later provide analysis method aimed to abnormal CPU utilization.
For interface board, we can check the time of high CPU utilization by command attack-source-trace.
For CPU board, log provide information we need and check which task occupied most of CPU resource.


Suggestions

We should be familiar with meaning of common task. Common task include FIB, ROUT, PES  and MACL except for SOCK and SMPT.