delay of reply on ping and high cpu usage

delay of reply on ping and high cpu usage

am 04.12.2006 12:48:20 von enghmh

hi all
I have cisco 2514 router ,some times when i ping to it (from internal
lan) it resbond it 500 to 1200 ms and give a lot of packet loss, and
this goes for about two houres and then finished and the router gets
back to its normal work (ping replyes with 10-20 ms at most) while
these 2 houres the cpu utilization varies from 85% to 90% . i think
there is a machine inside that is the reason for thatwhen send a lot of

traffic .
how can i detect the ip of this machine.
and how to be sure it not from outside, and if it was from outside, how

to detect its IP and prevent it from attcking my network.
i hope i can find an answer because i;m in a big trouble.
thank you all.

Re: delay of reply on ping and high cpu usage

am 04.12.2006 18:04:39 von Ansgar -59cobalt- Wiechers

enghmh wrote:
> I have cisco 2514 router ,some times when i ping to it (from internal
> lan) it resbond it 500 to 1200 ms and give a lot of packet loss, and
> this goes for about two houres and then finished and the router gets
> back to its normal work (ping replyes with 10-20 ms at most) while
> these 2 houres the cpu utilization varies from 85% to 90% . i think
> there is a machine inside that is the reason for thatwhen send a lot of
> traffic .
>
> how can i detect the ip of this machine.
> and how to be sure it not from outside, and if it was from outside,
> how to detect its IP and prevent it from attcking my network. i hope i
> can find an answer because i;m in a big trouble. thank you all.

To find the IP address of a box on the inside I would suggest to tap the
wire to the router, e.g. by putting a hub between the Router and the
Switch it's connected to:

Switch ------ Hub ------ Router
|
your PC

On your PC you run a sniffer (e.g. Wireshark [1]) to inspect the network
traffic.

An outside attacker's IP should show up in the logs on your router, but
I'm not really familiar with Cisco boxes. Walter Roberson can probably
give you some pointers with that.

[1] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich