It's just a colossal pain in the a** hunting down the offender. I suppose I
need to find some better diagnostic tools or learn something. Does anyone
have tips on how to hunt down this sort of traffic. All I know to do is
watch turbocell station entries on the AP and look for traffic patterns, but
that's not much help. Are there any programs we can run at the noc to watch
for traffic anomalies like this. I am familiar with active ports and some
other programs, but they only watch the machine they are actually installed
on. We run all Win2000 boxes for servers, so something that would run on
that platform would be best.
Brett Hays
Hometown Online
www.htonline.net
----- Original Message -----
From: "Bob Hrbek" <bhrbek@jagwireless.com>
To: "Karlnet Mailing List" <karlnet@WISPNotes.com>
Sent: Tuesday, June 17, 2003 9:33 AM
Subject: Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
> Brett, I think you are doing things correctly with the routing. I don't
> believe the storm settings will help with ICMP or UDP overloading of the
> network. These virus's have taken down the networks of some VERY large
> companies. One thing I suppose you could do is if you determine that the
> traffic is coming from a particular customer, you could create a MAC
filter
> to deny their traffic at the AP until they got the problem resolved.
>
> I don't think that the alternative configurations that you suggested would
> be of any help in these instances.
>
> As any other service provider would do.....if a subscriber is taking down
> the providers network, you simply isolate them until they get their stuff
> fixed.
>
> -bob
>
>
> ----- Original Message -----
> From: "Brett Hays" <bretth@htonline.net>
> To: "Karlnet Mailing List" <karlnet@WISPNotes.com>; <RMallory@karlnet.com>
> Cc: <kstuckwisch@htonline.net>; "Scot Green" <sjgreen@htonline.net>
> Sent: Tuesday, June 17, 2003 9:24 AM
> Subject: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
>
>
> > We have finally isolated a problem we have been having for over a month
on
> > our wireless system with some customers falling offline, etc on mostly
> > nights and weekends for 5-15 minute durations due to excessive icmp (I
> > believe) traffic coming from one customer location. The customer is
> working
> > with us to isolate the offending machine/device and solve the problem.
> >
> > That said, this has been a mother to isolate and solve. Does anyone
have
> > any ideas on how to protect access points from one client with code red,
> > etc. pegging the whole network? We run AP1000 base and RG1100 clients.
> > Currently, we are routed with real world IP's on the RG's and nat for
the
> > customer on the ethernet side. I noticed in the bridging setup that
there
> > is a section called storm protection. If we were running bridging on
the
> > clients and had this enabled, would it protect from this sort of
problem?
> >
> > I know that some of you have said you run nat on the access point and
then
> > give the real world IP to the customer's computer or dsl/cable router.
My
> > question regarding this is how do you access the client devices (in our
> case
> > RG's) to change configuration, etc. if they are behind nat on the access
> > point?
> >
> > Please excuse any stupid questions I am asking, I have very limited
> > experience with bridging.
> >
> > Brett Hays
> > Hometown Online
> > www.htonline.net
> >
> >
> > _______________________________________________
> > Karlnet mailing list
> > Karlnet@WISPNotes.com
> > http://lists.wispnotes.com/mailman/listinfo/karlnet
> >
>
> _______________________________________________
> Karlnet mailing list
> Karlnet@WISPNotes.com
> http://lists.wispnotes.com/mailman/listinfo/karlnet
>
|