Karlnet
[Top] [All Lists]

Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas

To: "Brett Hays" <bretth@htonline.net>, "Karlnet Mailing List" <karlnet@WISPNotes.com>
Subject: Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
From: "Caleb Carroll" <karlnet@pathcom.ca>
Reply-to: Karlnet Mailing List <karlnet@WISPNotes.com>
Date: Wed, 18 Jun 2003 10:39:08 -0600
List-post: <mailto:karlnet@WISPNotes.com>
Hi Brett,

Pick up a freeware package called NeTraMet & NeMaC which are RTF collector & 
manager programs.  They are open source packages that will allow you to get the 
information you are looking for on your network (a bandwith abuser).

All you need to do is plug in the computer running NeTraMet into a L2 bridge at 
your gateway and you will be able to find the offender very quickly!

Here is sample output from one of our traffic monitors ( source IP Addresses 
Altered ):

#---  localhost eth1  1694 flows    1kpps   1MBps   10:34:00 Wed 18 Jun 2003  
---
16%  16,7587,  2m,10.0.0.174,29502,205.210.170.33,20,  9MB,171kB
 6%  16,9247,  1m,10.0.1.139,2742,65.28.97.35,3468,  4MB,100kB
 4%  16,7952,  7m,10.0.0.202.124,29368,64.230.32.192,6881,891kB,  2MB
 4%  16,5923, 24s,10.0.1.139,2742,65.28.97.35,3475,  2MB, 57kB
 3%  16,9665, 47s,10.0.1.139,1148,24.70.199.62,2503, 44kB,  2MB
 2%  16,8318,  2m,10.0.1.139,2742,24.156.114.91,3495, 27kB,  1MB
 2%  16,7861,  2m,10.0.1.139,2742,200.164.135.42,10118,  1MB, 26kB
 2%  16,9222,  1m,10.0.2.172,1454,24.66.181.239,3966, 32kB,  1MB
 2%  16,8204,  7m,10.0.2.55,34827,209.91.64.7,12289,   0B,  1MB
 2%  16,9870, 36s,10.0.1.197,4223,66.28.200.226,80, 29kB,  1MB
58%  bytes in 1684 other flows

this just shows the top 10 network flows. columns are percentage of total 
traffic, flow ID, flow time, source, destination, port, traffic in and out over 
a 30 second interval.



*********** REPLY SEPARATOR  ***********

On 2003-Jun-17 at 10:20 PM Brett Hays wrote:

>It's just a colossal pain in the a** hunting down the offender.  I
>suppose I
>need to find some better diagnostic tools or learn something.  Does anyone
>have tips on how to hunt down this sort of traffic.  All I know to do is
>watch turbocell station entries on the AP and look for traffic patterns,
>but
>that's not much help.  Are there any programs we can run at the noc to
>watch
>for traffic anomalies like this.  I am familiar with active ports and some
>other programs, but they only watch the machine they are actually installed
>on.  We run all Win2000 boxes for servers, so something that would run on
>that platform would be best.
>
>Brett Hays
>Hometown Online
>www.htonline.net
>
>----- Original Message ----- 
>From: "Bob Hrbek" <bhrbek@jagwireless.com>
>To: "Karlnet Mailing List" <karlnet@WISPNotes.com>
>Sent: Tuesday, June 17, 2003 9:33 AM
>Subject: Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
>
>
>> Brett, I think you are doing things correctly with the routing.  I don't
>> believe the storm settings will help with ICMP or UDP overloading of the
>> network.  These virus's have taken down the networks of some VERY large
>> companies.  One thing I suppose you could do is if you determine that the
>> traffic is coming from a particular customer, you could create a MAC
>filter
>> to deny their traffic at the AP until they got the problem resolved.
>>
>> I don't think that the alternative configurations that you suggested
>would
>> be of any help in these instances.
>>
>> As any other service provider would do.....if a subscriber is taking down
>> the providers network, you simply isolate them until they get their stuff
>> fixed.
>>
>> -bob
>>
>>
>> ----- Original Message -----
>> From: "Brett Hays" <bretth@htonline.net>
>> To: "Karlnet Mailing List" <karlnet@WISPNotes.com>;
><RMallory@karlnet.com>
>> Cc: <kstuckwisch@htonline.net>; "Scot Green" <sjgreen@htonline.net>
>> Sent: Tuesday, June 17, 2003 9:24 AM
>> Subject: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
>>
>>
>> > We have finally isolated a problem we have been having for over a month
>on
>> > our wireless system with some customers falling offline, etc on mostly
>> > nights and weekends for 5-15 minute durations due to excessive icmp (I
>> > believe) traffic coming from one customer location.  The customer is
>> working
>> > with us to isolate the offending machine/device and solve the problem.
>> >
>> > That said, this has been a mother to isolate and solve.  Does anyone
>have
>> > any ideas on how to protect access points from one client with code
>red,
>> > etc. pegging the whole network?  We run AP1000 base and RG1100 clients.
>> > Currently, we are routed with real world IP's on the RG's and nat for
>the
>> > customer on the ethernet side.  I noticed in the bridging setup that
>there
>> > is a section called storm protection.  If we were running bridging on
>the
>> > clients and had this enabled, would it protect from this sort of
>problem?
>> >
>> > I know that some of you have said you run nat on the access point and
>then
>> > give the real world IP to the customer's computer or dsl/cable router.
>My
>> > question regarding this is how do you access the client devices (in our
>> case
>> > RG's) to change configuration, etc. if they are behind nat on the
>access
>> > point?
>> >
>> > Please excuse any stupid questions I am asking, I have very limited
>> > experience with bridging.
>> >
>> > Brett Hays
>> > Hometown Online
>> > www.htonline.net
>> >
>> >
>> > _______________________________________________
>> > Karlnet mailing list
>> > Karlnet@WISPNotes.com
>> > http://lists.wispnotes.com/mailman/listinfo/karlnet
>> >
>>
>> _______________________________________________
>> Karlnet mailing list
>> Karlnet@WISPNotes.com
>> http://lists.wispnotes.com/mailman/listinfo/karlnet
>>
>
>
>_______________________________________________
>Karlnet mailing list
>Karlnet@WISPNotes.com
>http://lists.wispnotes.com/mailman/listinfo/karlnet




<Prev in Thread] Current Thread [Next in Thread>