Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS/Broadcast Storm analysis

From: Brian Kaye <bdk () UNB CA>
Date: Thu, 25 Mar 2004 16:00:11 -0400
We have had a bunch of similar incidents in the past.

Best plan is to start isolating the segments of the network briefly. Just
pull the fibre for a few seconds and see if the DOS goes away. You could
have multile "attackers" in which case the process needs to go the other
way. Remove all but one segment and add them until you see the bad
traffic. Then work your way out from there to distribution switches.

You could also go look at each switch and see which ports are generating
the most send traffic.

Is your network "flat" (only a few subnets)?

As for looking at the traffic cheaply, try "ethereal" on a UNIX box.
No diagnosis but you can capture the packets. Look at the MAC address of
the DOS traffic and find which switch has that in its forwarding database.

......Brian Kaye
......University of New Brunswick

On Thu, 25 Mar 2004, West, David F. wrote:


Date: Thu, 25 Mar 2004 14:05:55 -0500
From: "West, David F." <dfwest () ST-AUG EDU>
Reply-To: The EDUCAUSE Security Discussion Group Listserv
    <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DOS/Broadcast Storm analysis

We appear to be having a DOS, Broadcast Storm or equivalent activity
happening at a time frame every day for about 45 minutes. Same time
every day but we have no resources to analysis the traffic. Our college
is relatively small with only about 300 staff and 1500 students. Is
there a low cost solution for monitoring and diagnosing a switched IP
environment? All buildings are home runned via fiber to our main network
center. Suggestion for solutions are greatly appreciated since we have a
very limited staff to support the network here.

Thank you,
David West
Senior Network Engineer
Saint Augustine's College
dfwest () st-aug edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: