Educause Security Discussion mailing list archives

Re: DOS/Broadcast Storm analysis

From: "Niedens, Travis" <Travis_Niedens () REDLANDS EDU>
Date: Thu, 25 Mar 2004 11:57:31 -0800

David,

There are several open source (free) solutions out there.  We use NetFlow
stats on our network along with other things. 

General Monitoring:
-------------------
MRTG - http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

Cacti w/ RRDTool - http://www.raxnet.net/products/cacti/

(You can use these for finding the source building by looking at port usage
w/ SNMP)


Packet Analysis / Sniffing:
---------------------------
Ethereal - http://ethereal.zing.org/ 

Snort - http://www.datanerds.net/~mike/snort.html (main site is
www.snort.org)


Advanced Monitoring:
--------------------
Netflow Monitor - http://netflow.cesnet.cz/

Netflow info - http://netflowguide.com/

Nagios - http://www.nagios.org/download/extras.php


Vulnerability Scanning:
-----------------------

Nessus - http://www.nessus.org

We are in the process of evaluating many of these for our use in the future.
We are already using MRTG, Cacti and Nessus.  Depending upon your
environment(gear), there could be commands to look at traffic on your
network.  Here are some we use from the Cisco realm -

Catalyst 4k/6k/29xx:

Show top
Show mac / show mac util

Routers:
Turn on netflow, then: 
        - show ip cache flow 
        - show ip cache flow | in 0800 (ICMP)
        - show ip cache flow | in 01BD (TCP/UDP Port 445)
        - show ip cache flow | in 0087 (TCP/UDP Port 135)

(If someone is behaving undesirably, you will see them as the source IP
several times and the destination port will be the same or in progression
i.e. port scanning)

PIX:

show local-host  | in TCP connection count/limit
(This will give you a list of connection counts, look for ones at 400+ then
do the following)

show local-host  | in TCP connection count/limit = XXX
(once you see that there are hosts at an amount that is concerning)

show local-host  | be TCP connection count/limit = XXX
(this works about 40% of the time off the bat. May have to use it a few
times.  When you succeed in finding them, you will get the following)

PIX# show local-host  | be TCP connection count/limit = 33
    TCP connection count/limit = 332/unlimited
    TCP embryonic count = 69
    TCP intercept watermark = unlimited
    UDP connection count/limit = 0/unlimited
  AAA:
  Xlate(s):
    PAT Global 1.1.1.1(29013) Local 10.10.10.10(4951)
    PAT Global 1.1.1.1(29014) Local 10.10.10.10(4952)
    PAT Global 1.1.1.1(29016) Local 10.10.10.10(4954)
    PAT Global 1.1.1.1(33394) Local 10.10.10.10(3453)
    PAT Global 1.1.1.1(35194) Local 10.10.10.10(3612)
    PAT Global 1.1.1.1(37938) Local 10.10.10.10(3854)
(I have seen most systems shouldn't be over 100 for the connection count)

- Show xlate 
- show xlate local xxx.xxx.xxx.xxx netmask 255.255.255.255 (if you know the
host that is causing the issue)

These commands and the open source tools should help you.  We have had far
less downtime from DoS attacks and viruses with these methods/tools for
detecting systems behaving undesirably.

Thanks,
Travis

-----Original Message-----
From: West, David F. [mailto:dfwest () ST-AUG EDU] 
Sent: Thursday, March 25, 2004 11:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DOS/Broadcast Storm analysis

We appear to be having a DOS, Broadcast Storm or equivalent activity
happening at a time frame every day for about 45 minutes. Same time every
day but we have no resources to analysis the traffic. Our college is
relatively small with only about 300 staff and 1500 students. Is there a low
cost solution for monitoring and diagnosing a switched IP environment? All
buildings are home runned via fiber to our main network center. Suggestion
for solutions are greatly appreciated since we have a very limited staff to
support the network here.

Thank you,
David West
Senior Network Engineer
Saint Augustine's College
dfwest () st-aug edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

DOS/Broadcast Storm analysis West, David F. (Mar 25)
- <Possible follow-ups>
- Re: DOS/Broadcast Storm analysis Scott Weeks (Mar 25)
- Re: DOS/Broadcast Storm analysis Niedens, Travis (Mar 25)
- Re: DOS/Broadcast Storm analysis Brian Kaye (Mar 25)
- Re: DOS/Broadcast Storm analysis Gary Flynn (Mar 25)
- Re: DOS/Broadcast Storm analysis Mark Poepping (Mar 25)
- Re: DOS/Broadcast Storm analysis Niedens, Travis (Mar 25)