Cisco :: 4404WLC - Causing DOS Attack Several Times A Day
Feb 12, 2013
I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.However, over the last month or two we have had an issue where we have had high load on our WAN.We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
In one week I need to import the config from my 4404 WLC to my new 5508, then I just want to change the mgnt IP address of the 5508 and then bring it into the same mobility group.How do I import the config when the 5508 is straight out of the box?
We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs. I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs. We have a AP that has unregistered and we can't seem to find what switchport it was attached to. It would be useful to know the IP address and ideally any CDP information it had. Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.
I am wondering how to change my internet IP address as someone is DDOS attacking me on a daily basis. I have tried all the ipconfig stuff, and unplugged my modem for an hour. Not sure what to do at this point. Plugging my PC directly to the modem changes my IP, but then when I plug my PC back into my router, it changes back.
We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )
Note: I have changed the actually public IP to 126.96.36.199 for some security cause.
Mar 18 21:46:19 188.8.131.52 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 184.108.40.206 to 220.127.116.11Mar 18 21:46:19 18.104.22.168 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 22.214.171.124 to 126.96.36.199Mar 18 21:46:20 188.8.131.52 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 184.108.40.206 to 220.127.116.11Mar 18 21:46:21 18.104.22.168 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 22.214.171.124 to 126.96.36.199(code)
I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.
How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit. 2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary? 3. Is there anything else I should do or be aware of regarding backup and restore for the PIX? 4. What is the tfp file?
Is there anyway to block a DDOS attack? I dont know to much about DDOS attacks and how they work, but i think i understand a little bit of it. Is there no way to configure a firewall to detect rapid, spontaneous,continuous amounts of fragmented, random data coming from an IP address? Wouldn't the data coming in from a DDOS server be somewhat distinct from data that flows normally
I'm on my 3rd Virgin media 615 today, the last one arrived yesterday and I opened the box to fine a rev d with old bios installed, throw hands in air and all that and then proceeded to upgrade to 4.13 which I have found to be stable and work ok, the other two grow to have the wireless failure issue, I could moan here about VM but hey there's no point so I have come here for adviseafter I found the last one wireless going down, daily trips from the kids down to me to ask why the internet isn't working etc etc I started to investigate, I found the 4.13 and gened up a bit, looked at the 3rd party code and came back to Dlinks own code, anyway I have seen in the last few days hundreds of similar port scans. [code]
Now is the the router being a little sensitive to harmless software companys scans to see if products installed etc or are they something to worry about now I know whats going on if its the latter, and I don't think anyones got in yet but I would like to ban these ip's and to be honest I'm not sure of the best way also I noted a UDP active session that not a part of my subnet too mine being a standard 192.168.0.*and the other being 192.168.4.*.
We have a WLAN consisting of a WLC 4402 and 11 lightweight APs. For security/compliance reasons we have a Cisco PIX firewall that sits between the WLC (outside) and the APs (inside). The APs are allowed to form LWAPP tunnels through the firewall (inside access-list) to the WLC and the WLAN works as expected.The firewall then limits traffic from the WLAN (outside access list) to certain the internal systems.I have noticed that every so often the firewall logs show continuous "Land attack from 0.0.0.0 0.0.0.0" messages then all APs are disconnected (all lights flash).
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
I study at University of Ostrava and currently I am working on my master thesis. Its content is realization of few attacks on network. Now I am trying to implement ICMP redirecting attack by using Intercepter program. Diagram of my netwok you can see on enclosed picture (Schema.jpg). Through Intercepter program I generate packets ICMP redirect (ICMP type 5), which are successfully sent from PC Attacker, but these packets do not arrive to PC Victim and Warshark shows me messages „ Destination Unreachable (Host Unrecheable).“ When I use instead of Cisco switch non Cisco switch (for example: Edimax) or hub, ICMP redirects packets arrive to PC Victim and I can continue in the attack?
SW: Switch is in the defautl setting Cisco Catalyst 2960 IOS: c2960-lanbasek9-mz.122-50.SE3.bin Router: Set only IP address on FastEthernet interfaces Cisco 2801 IOS: 2801-ipbasek9-mz 124.25f.bin
Currently in my office have a TPlink wireless router (WR1043N), and Dlink 615 router.Below is my office's network organization.Internet-->TPLinkRouter(192.168.2.0)-->DlinkRouter(192.168.0.0)We want to host a demo website but we are afraid our network being attacked. So we wish to implement a DMZ network to hide our internal network from outside. My question is can i setup a dmz network with the above capabilities by using home routers?
Does Cisco ASA5510 or 5520 can protect DDos attack and sync flood ?I have problem on this, so how can i protect on this, some time i saw on my log like this"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
A customer reported that their router experienced spikes (high cpu utilization) every 4 hours and claims that it is caused by snmp polling of the Ciscoworks server.
The process SNMP engine is the process that causes these spikes .We think that the job responsible of this periodic high CPU utilization. It's called "Vrf Collector Job" and it's runnning every 4 hours.Below the result of show stack PID and show version
*Sep 5 12:02:43.230 GMT+1: %SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU Utilization(Total/Intr): 56%/14%, Top 3 processes(Pid/Util): 557/39%, 488/1%, 555/0% *Sep 5 12:02:43.286 GMT+1: %HA_EM-4-LOG: CPUTH: Process 557: SNMP ENGINE Stack segment 0x1CFC204C - 0x1CFC4F2C
I have a WiFi in my home, when this laptop is under normal load, say like streaming a 360p youtube video, all the computers in my home will experience a huge lag and it becomes impossible to surf or do any internet activity (even the causing laptop itself will experience huge pings). The weird part is that the lag is at the LAN level, it is not related to my internet bandwidth. Because when I ping my local router (192.168.2.1) with other PCs during the lag period, I get 1000-4000 ms. However, it is usually 1 ms. I tried doing a stress test on one of my normal laptops by downloading at maximum speed, the problem did not occur, there was no lag, all my PCs did not encounter that lag and I still get 1 ms when pinging the router. It is only this laptop that when it starts downloading, my network will be flooded.
Another related problem with the laptop is that every time I log off then log in and try to reconnect to my network, It will not allow me, I will have to click on the windows diagnose problem and it will be fixed saying "Problem with wireless adapter or access point".
I'm using cable (7.5Mbps) w/ unlimited bandwidth . I have 2 wired PC on the network and 4 PCs connected via wireless. My current router is a Netgear WND3400 but I had a Linksys WRT160n v3 previously.
My problem is that I've been getting very high ping in games (PC) and also on my PS3 like > 400ms over the past month but only after like 9:30pm or so. During the day it's always smooth. I called my ISP and they told me everything was fine from their end and the modem too.
1 PC on the network makes the other PCs lag even if that PC isn't downloading or using any bandwidth at all? I did some tests today, like: I open CMD and type: ping -t url... and I get like 6ms but when that particular PC is powered on, the ping increases to > 400ms.
If my computer has been sitting for a while without using the internet and i open my browser the dsl and internet lights on my router shut off for about 15 seconds and no one in my house has internet and then it turns back on. this ONLY happens when it has been sitting for a while with the browser closed and my computer is the only one that makes it do it. also i don't have my computer set to sleep after a certain time, my monitor turns off after 5 minutes and that's it. i have a siemens gigaset se567 and my isp is telus.
For starters I have a qwest m1000 modem and a netgear router.this morning there was a rather large thundestorm that caused my power to cut out while I was usin my computer.. once I got it back up and running the ethernet light on my modem wasn't liighting up.I reallly have no idea what to do. Everything but the ethernet is working. I can still get to my routers website but that's it, and I don't what to do there once I'm on it.Is it possible the storm messed up the settings? Or killed part of my pc/modem? On my computer the ethernet light next to the jack on the back is yelllow when its threw my rouuter, but when I plug my modem into it directly it doesn't light up at all.
I'll access a site like [URL] normally the first 2 or three links will work that I click on and then maybe the third link will cause a timeout. I'll refresh the page after receiving the timeout notice and it'll appear fine. This is happening to other sites aswell. The reason I know it's the router is when I plug my PC directly into the modem, I don't receive this problem. The problem is happening with my laptop, PC and iphone. I've asked the ISP to go over the settings in my router to make sure they're all configured correctly and they say they're not trained on troubleshooting routers so they direct me to Netgear again. I don't really know what I should be looking at in the router page (I don't know much about routers/networking),
I've recently added a desktop pc to the home's wireless network (using a D-Link DWA-125 Wireless N 150 USB adapter rev.A2) and it used to play nicely with the other devices. After switching out the router to an Actiontec V1000H my computer has begun losing most connectivity when the PS3 is turned on.
The pc still sees the network and there is a little activity there it seems. Everything runs fine when the PS3 is off and in the Wireless Network Connection Status display the speed is usually listed at 65-75 Mbps. But when the PS3 is turned on it reads 6.5 Mbps with the IPv4 connectivity bouncing between "internet" and "limited". Windows' automatic diagnosis is "Cannot communicate with DNS server".
I tried assigning static IP addresses to the pc and ps3 thinking there was a possible IP conflict with the dynamic addresses. Thinking there could be a conflict with ports I read up on port forwarding but my knowledge of networking is limited and I'm not even sure if that is the problem.
There are alot of other devices connected, 2 laptops, 2 iPod touches an iPhone the PS3 and now this old desktop clunker. I figure it's possible that the router is getting overloaded with everything and the PS3 just pushes my computer's bandwidth out the window but I would think that there would be some noticable drop in performance on the other laptops as well, which there hasn't.
We installed a new ASA 5510 (ver 8.3(1)) on the weekend and since then have had one isolated email issue.Here is the situation. We have a remote office that connects to us via IPsec site-to-site tunnel. They remote in to one of our servers and from that server email themselves PDF's. They have their own exchange server for general use, but the emails sent from our server go through our exchange server of course. The received email shows the user as the sender AND receiver. This previously worked fine.Since installing the ASA though, users get the following error when they try to open the document: "There was an error opening this document. The file is damaged and could not be repaired."They tried this with a text file and the same thing occured. I have disabled SMTP inspection and have omitted the remote office from the CSC SSM scanning. This has not worked. The remote office also has an ASA 5510 (ver 8.2) but no changes were made this weekend. No updates were applied to Exchange this weekend.Previously my office was using a Cisco 1800, Cisco VPN Concentrator 3000 and Untangle gateway box. I replaced all 3 with the ASA. My supervisor is currently at this remote location and he can still email himself attachments from that particular server with no problem through the tunnel.
I am a new network admin at my company, and I am investigating a problem that is on a network designed by someone no longer here. So, I can't ask why things were set up the way they were. Anyway, here's the issue:
We have 50Mbps WAN connections between locations. The WAN devices are 3750s, but the port plugged into the providers network is a layer 3 port. Config is below for one of the ports: [code]
So, these are Gig ports, but our service provider limits to 50Mbps. When we do a data transfer, we can't exceed about 20Mbps total on the circuit. The data transfers at maximum 15-16Mbps.
I'm not familiar with QoS. I've tried to read more about SRR, but don't understand it well enough to know. Are the QoS settings creating this restriction? Our provider swears that the bandwidth is allocated and its not being choked on their end. I have not taken off the QoS config to test it that way because I'm not 100% sure if its needed and serving some purpose. I don't want to break something in order to fix this.
Is the QoS causing this? Do I need to put a bandwidth statement on the port? Should we be using routers and LLQ?
I have 3560-24PS-S (ios version 12.2(35)SE1) that have high CPU (almost 100%) use at every inventory collection (each sunday) or polling (each day 6 a.m) during 2 or 3 minutes.
I read on the forum, that this could be due to some mib object polling failure, and could, perhaps, be solved by upgrading the ios version or configuring view preventing the poll of the problematic object.
But what view to configure ?Is there well known MIB objects to filter ? Which ones ? I did not see any bug related to my IOS version and this behavior in the bug toolkit ... I join some sh commands (unfortunately done when no problem). I will try to obtain the output of the sh command when the pb occurs.
I am dealing with three office networks, all three have the same conflict. The error messages I get all say there are two devices assigning ip addresses. As soon as I get the computers communicating with each other, two seem to crash overnight, I suspect due to the conflict. Here is the rundown on the networks. All are windows networks - the problem I am having is file sharing mostly and printing.
Network A: server OS is XP Pro - SP3, four workstations, XP Pro-SP3, Windstream DSL and Netgear Router. I have already bridged the router on this one, and it did not correct the conflict.
Network B: Server OS - Windows7 SP1, three workstations all XP Pro SP3, ISP is Clear (formerly clearwire). Router is the old wired Linksys befsr41 v4.
Network C: server OS - XP Pro SP2, ISP - Clear, three workstations - two are XP ProSP3 one is XP Pro SP2. I have had less trouble with this network, but I suspect the conflict exists here as well.
I have tried to get a static IP address from Windstream where I have had my worst problems, but cannot seem to get one. I suspect we have the least expensive service option possible, and are possibly using a service designed for home use as opposed to business, as someone told me recently that getting a static IP address can be expensive. Is this true? Currently all networks have DHCP enabled, and the routers are set up to use DHCP. My thoughts were to disable DHCP and assign ip addresses manually.
decided first of all to connect an old router to the master (but not test) socket together with different cabling & splitter/microfilter - everything starting working almost perfectly (apart from downstream data rate was considerably lower than expected each time I connected - between about 1400 & 1600 Kbps - I have max. 8 Mbps).when I connected back my current router everything continued to be OK (apart from low downstream data rate) - until I would restart the current router and everything went back to very very slow.
I have been using my DIR-655 for about 2 weeks now with Road Runner wideband services. Starting yesterday my internet became very slow and I discovered the cause was the router. I tried resetting it to factory settings and things will be fine and run smoothly for about 5-15 minutes but after that it goes back to being extremely slow. My speed tests would go from 10ms (normal) to 250-450ms. Before this issue occurred the Dlink was perfect, had full speeds. I am running a wire Ethernet connection.
I am currently using revB and tried upgrading firmware to 2.01NA which had no effect, but make my internet seemingly go back to normal for the first few minutes then nosedive again.I have also changed my speed/duplex settings in Network Config to 1gbs Full Duplex. I've also disabled QoS, and still no change. Not sure what else to do.
When directly connected to the modem everything seems fine. The modem is also the provided Motorola SBG6580 which I have called Time Warner to set the modem into bridge mode and have the DIR-655 connected to it.
After recently setting up a new computer, my entire network seems to randomly loose internet connection. The interval between connection losses is as short as half an hour but it sometimes goes several hours without dying; the connections is lost for anywhere between 30 seconds and 20 minutes each time it dies.The new computer is running Windows 7 and is using a Roeswill USB wireless adapter, but I have tired it with a wire and the connection still dies. I am disinclined to believe that this is caused by a virus simply because this is a brand new computer that has had only minimal use; to be on the safe side, though, I did do virus scans with multiple programs, however, I did not find anything.When the connection is lost, a yellow exclamation appears on the task bar's internet access icon. If I check my available networks, my network still shows full strength. I have tried disconnecting and reconnecting but nothing happens; I don't get any "failure to connect" type errors nor do I get connection back. I have also tried physically removing the adapter/wire and plugging it back in, but that doesn't do anything either.
I am under the impression that the new Windows 7 computer is doing something to temporarily kill the entire network, but I don't know what.For the record, my modem is an old Motorola and my router is an old Netgear. Both are quite a few years old, but I don't think they are the problem as my internet was fine before I added the new Windows 7 computer. There are wired computers and wireless computers running XP, Vista, and 7 also on the network.
I have a DSL line at work that we use to test external services provided to external users on our primary Internet circuit (Citrix, web applications, etc). Because this DSL line is for testing only, we want to lock it down so the only destinations allowed through the firewall are our own IP spaces.
I purchased a WRVS4400N for this purpose, thinking I could use the IP based ACL list to create these restrictions. However, every time I try to create an ACL, the internet slows to a crawl, and many sites don't come up at all. This occurs even if the ACL rule I add is a simple "allow any any" rule similar to the default rules.
Is this a known issue, or am I configuring something incorrectly? Here's an example of a rule I'm using (IP not real):
Action Service Source Interface Source Destination Time Day Allow All Protocol LAN ANY 188.8.131.52/255.255.255.240* Any Time Every Day
I also get the problem with a simple allow from a single IP (mine) to any destination, without any other rules enabled.
implementation of the ACL ruleset on these routers?
I'm attempting to create an erspan session between a Nexus 5000 and 6500 to get traffic from a FEX interface on the 5000 over to a sniffer off of the 6500. The Nexus and 6500 are directly connected with a 10G link, but I added a separate 1G link between the two for the erpsan traffic. I created a routed interface on the 6500, and and SVI on the Nexus. The Erspan session came up, and looked ok from both sides, but as soon as we got a burst of traffic this morning the CPU on the 6500 spiked to 99%. I used 'debug netdr capture rx' to determine the traffic was coming in from the erspan port and subsequently shut down the new interface on the 6500. why this caused a CPU spike? Here are the relevant configs from each device: