Educause Security Discussion mailing list archives
Re: DOS/Broadcast Storm analysis
From: "Niedens, Travis" <Travis_Niedens () REDLANDS EDU>
Date: Thu, 25 Mar 2004 11:57:31 -0800
David, There are several open source (free) solutions out there. We use NetFlow stats on our network along with other things. General Monitoring: ------------------- MRTG - http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Cacti w/ RRDTool - http://www.raxnet.net/products/cacti/ (You can use these for finding the source building by looking at port usage w/ SNMP) Packet Analysis / Sniffing: --------------------------- Ethereal - http://ethereal.zing.org/ Snort - http://www.datanerds.net/~mike/snort.html (main site is www.snort.org) Advanced Monitoring: -------------------- Netflow Monitor - http://netflow.cesnet.cz/ Netflow info - http://netflowguide.com/ Nagios - http://www.nagios.org/download/extras.php Vulnerability Scanning: ----------------------- Nessus - http://www.nessus.org We are in the process of evaluating many of these for our use in the future. We are already using MRTG, Cacti and Nessus. Depending upon your environment(gear), there could be commands to look at traffic on your network. Here are some we use from the Cisco realm - Catalyst 4k/6k/29xx: Show top Show mac / show mac util Routers: Turn on netflow, then: - show ip cache flow - show ip cache flow | in 0800 (ICMP) - show ip cache flow | in 01BD (TCP/UDP Port 445) - show ip cache flow | in 0087 (TCP/UDP Port 135) (If someone is behaving undesirably, you will see them as the source IP several times and the destination port will be the same or in progression i.e. port scanning) PIX: show local-host | in TCP connection count/limit (This will give you a list of connection counts, look for ones at 400+ then do the following) show local-host | in TCP connection count/limit = XXX (once you see that there are hosts at an amount that is concerning) show local-host | be TCP connection count/limit = XXX (this works about 40% of the time off the bat. May have to use it a few times. When you succeed in finding them, you will get the following) PIX# show local-host | be TCP connection count/limit = 33 TCP connection count/limit = 332/unlimited TCP embryonic count = 69 TCP intercept watermark = unlimited UDP connection count/limit = 0/unlimited AAA: Xlate(s): PAT Global 1.1.1.1(29013) Local 10.10.10.10(4951) PAT Global 1.1.1.1(29014) Local 10.10.10.10(4952) PAT Global 1.1.1.1(29016) Local 10.10.10.10(4954) PAT Global 1.1.1.1(33394) Local 10.10.10.10(3453) PAT Global 1.1.1.1(35194) Local 10.10.10.10(3612) PAT Global 1.1.1.1(37938) Local 10.10.10.10(3854) (I have seen most systems shouldn't be over 100 for the connection count) - Show xlate - show xlate local xxx.xxx.xxx.xxx netmask 255.255.255.255 (if you know the host that is causing the issue) These commands and the open source tools should help you. We have had far less downtime from DoS attacks and viruses with these methods/tools for detecting systems behaving undesirably. Thanks, Travis -----Original Message----- From: West, David F. [mailto:dfwest () ST-AUG EDU] Sent: Thursday, March 25, 2004 11:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DOS/Broadcast Storm analysis We appear to be having a DOS, Broadcast Storm or equivalent activity happening at a time frame every day for about 45 minutes. Same time every day but we have no resources to analysis the traffic. Our college is relatively small with only about 300 staff and 1500 students. Is there a low cost solution for monitoring and diagnosing a switched IP environment? All buildings are home runned via fiber to our main network center. Suggestion for solutions are greatly appreciated since we have a very limited staff to support the network here. Thank you, David West Senior Network Engineer Saint Augustine's College dfwest () st-aug edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DOS/Broadcast Storm analysis West, David F. (Mar 25)
- <Possible follow-ups>
- Re: DOS/Broadcast Storm analysis Scott Weeks (Mar 25)
- Re: DOS/Broadcast Storm analysis Niedens, Travis (Mar 25)
- Re: DOS/Broadcast Storm analysis Brian Kaye (Mar 25)
- Re: DOS/Broadcast Storm analysis Gary Flynn (Mar 25)
- Re: DOS/Broadcast Storm analysis Mark Poepping (Mar 25)
- Re: DOS/Broadcast Storm analysis Niedens, Travis (Mar 25)