Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS/Broadcast Storm analysis

From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 25 Mar 2004 15:07:47 -0500
West, David F. wrote:


We appear to be having a DOS, Broadcast Storm or equivalent activity happening at a time frame every day for about 45 
minutes. Same time every day but we have no resources to analysis the traffic. Our college is relatively small with 
only about 300 staff and 1500 students. Is there a low cost solution for monitoring and diagnosing a switched IP 
environment? All buildings are home runned via fiber to our main network center. Suggestion for solutions are greatly 
appreciated since we have a very limited staff to support the network here.


Its difficult to say without a better idea of the
symptoms you are seeing but here are some general tips...

Manual methods:

1. Starting with your core router, login and check interface
   statistics, particularly packet rates and errors. Work out
   from the troublesome interface through your switches until
   you find the culprit. If its a major event, you might
   simply be able to see it by monitoring the interface lights
   at your fiber termination point.

2. Login to the system(s) being affected, monitor interface
   statistics and connection logs, and trace back as in #1.
   Use netstat on unix, performance monitor on windows.

3. Get a packet capture. You can use the free Network Monitor
   that comes with Windows:
   http://support.microsoft.com/default.aspx?scid=kb;en-us;812953
   or the open source Ethereal tool on either Windows or linux.

   Broadcast traffic will generally show up on all switch ports
   connected to the same router interface. To collect other
   traffic, you will have to learn how to create a span port on
   your switch or have a tap so that you can sniff traffic on the
   segment(s) of interest.

Future automation:

1. Set up an SNMP managment station to poll interface
   statistics from your switches and systems. Alert
   accordingly according to thresholds above or below
   a baseline. Free software abounds. Check out MRTG for
   starters.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: