H3C's First General-Purpose Mid-to-High-End Layer 3 Switch: A Breakthrough Story – Fifth Tribulation: Excessively High CPU Utilization

Table of Content [Hide]

Before the routing abnormality issue was fully resolved, the fifth tribulation struck! Following the recommendation of the S6500 R&D team, the routine inspection tasks of the S6500 support team were updated to include monitoring of the S6500 CPU utilization and memory utilization. As expected, inspections revealed that the S6500 at many nodes suffered from excessively high CPU utilization and overly high memory utilization.

h3cs-first-general-purpose-mid-to-high-end-layer-3-switch-fifth-tribulation-excessively-high-cpu-utilization-1.jpg

Engineers from the S6500 support team collected information from the S6500 devices with abnormally high CPU utilization in accordance with R&D guidance and promptly submitted the data to the S6500 R&D team.

After analyzing the information collected from multiple nodes, the S6500 R&D team reached a final conclusion: the issue was caused by worm virus attacks on the network.

The period from 2003 to 2007 marked the peak of Internet worm outbreaks. Many highly impactful worms emerged during this time, including Worm.Blaster, Shockwave, Zotob, MSN virus, Worm.Viking.dr (also known as Panda Burning Incense), and others.

Worm outbreaks affect network devices mainly in the following aspects:

Massive bandwidth consumption: Worms generate huge network traffic through automatic scanning and propagation, causing bandwidth congestion and even paralyzing LANs or backbone networks in severe cases.
Degraded or crashed network device performance: Infected devices such as routers and switches process a large number of abnormal requests, leading to CPU overload and memory exhaustion, which may result in service interruption or device reboot.
Network service outages: Worms may exploit device vulnerabilities (such as TR064/069 protocol flaws) to control network equipment, shut down critical ports, or launch DDoS attacks, causing large-scale network disconnections.
Expanded propagation scope: Worms can spread laterally through network shares, USB drives, weak passwords, and other channels, infecting peripherals like printers and NAS to further enlarge the attack surface.
Stealth control and backdoor implantation: Some worms implant backdoors after infecting devices, turning them into botnet nodes for continuous remote control and subsequent attacks.

h3cs-first-general-purpose-mid-to-high-end-layer-3-switch-fifth-tribulation-excessively-high-cpu-utilization-2.jpg

After confirming that worm virus attacks could lead to critical risks such as excessively high CPU utilization and memory exhaustion on the S6500, the S6500 R&D team released a targeted software version. The version added CPU protection mechanism and memory protection mechanism, and further integrated features including Port Security, Storm Control, DHCP Snooping, and ARP Inspection to effectively mitigate the impact of worm viruses on the stable operation of the S6500.

h3cs-first-general-purpose-mid-to-high-end-layer-3-switch-fifth-tribulation-excessively-high-cpu-utilization-3.jpg

The S6500 trial support team then upgraded the software version on all S6500 switches at the 112 trial nodes, overcoming both the fourth and fifth tribulations.

By Lanbras

Lanbras specializes in translating cutting-edge optical and Ethernet transmission technologies into clear, valuable insights that help our customers stay ahead in a fast-evolving digital world.

By turning complex technical concepts into practical, business-driven content, we aim to empower decision-makers with the knowledge they need to make confident, future-ready choices.

PREV: H3C's First General-Purpose Mid-to-High-End Layer 3 Switch: A Breakthrough Story – Fourth Tribulation: Routing Abnormality

NEXT: No information

References

Lastest News & Blog about Lanbras

H3C's First General-Purpose Mid-to-High-End Layer 3 Switch: A Breakthrough Story – Fourth Tribulation: Routing Abnormality

As more and more internet cafe users and enterprise users were cut over and activated on the S6500, the fourth tribulation emerged! From time to time, nodes reported that internet cafe users connected...

 May 08, 2026

Learn More

H3C's First General-Purpose Mid-to-High-End Layer 3 Switch: A Breakthrough Story – Third Tribulation: Forwarding Abnormality

After a large number of internet cafe users were cut over to the S6500, the third tribulation struck! Nodes reported occasional service outages affecting one or several internet cafes connected under ...

 May 07, 2026

Learn More

H3C's First General-Purpose Mid-to-High-End Layer 3 Switch: A Breakthrough Story – Second Tribulation: Specification Limitation

In late 2004, H3C's newly developed S6500 general-purpose mid-to-high-end Layer 3 switch was delivered for trial deployment at 112 broadband MAN nodes of friendly user XX Telecom. As user services...

 May 06, 2026

Learn More