• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Help: Cisco Router

J

Juic3

[H]ard|Gawd
Joined
Dec 22, 2004
Messages
1,458
Hi fellaz,

Im having serious problems with a 2621 router, its a gateway to 4 different networks. My problem is that Im getting DoS every few minutes unless I do a "clear arp".

Im new at this stuff, does anyone have a clue where to start ?
 
1.Enable Netflow to see where the DoS is coming from.

2. Then create an ACL to deny traffic from that address
 
Thanx for the response!

For the moment I set the arp timeout to a low value, and going to try what you pointed out tomorrow. Could the low arp timeout affect me on monday when everyones working ?

Like I said Im new at this, so Im looking around for setting up netflow, definitely need to kill the attacker. Any quick way ?

router#enable
Password:*****
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip route-cache flow
router-2621(config-if)#exit
router-2621(config)#ip flow-export destination 192.168.9.101 9996
router-2621(config)#ip flow-export source FastEthernet 0/1
router-2621(config)#ip flow-export version 5
router-2621(config)#ip flow-cache timeout active 1
router-2621(config)#ip flow-cache timeout inactive 15
router-2621(config)#snmp-server ifindex persist
router-2621(config)#^Z
router#write
router#show ip flow export
router#show ip cache flow

The "show ip flow export" will show me the info on screen ? Or where does the export go to ?
 
What makes you think your getting DoS'd?

Are you seeing high CPU during that period?

Do you have at least some sort of ACL inbound on your WAN/Internet interface?

You would need to know the IP address of attacker to be able to do anything. You can put a deny ip any any for now until you find out his info. Keep in mind this will deny any remote connections into your inside network.

You can export the netflow data to a collector but you can also view the data from the CLI. The command is "sh ip cache flow"

What is your input rate of the WAN/Internet interface? The rate can only be displayed for a rolling 30 second average but if he is attacking for that amount of time you should see a spike in traffic. "show int <interface>" should show the traffic rate.

Take a look at this link too, it has some good ideas.

http://www.ciscopress.com/articles/article.asp?p=345618
 
You must log in or register to reply here.
Back
Top