Dos Attack [7:7049]
Hi, If there is a machine within my network generating high load of traffic, how can I detect the machine asap? I have cisco 7507 routers and catalyst 5509 switches. Which command should I use to check? On the catalyst switch which command can I use to find out port the machine is plugged to? Thanks Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7049&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Andy Try this command on catalyst 5509 "show top" It gives the top stations report. > -Original Message- > From: Andy Low [SMTP:[EMAIL PROTECTED]] > Sent: Mon, June 04, 2001 3:03 PM > To: [EMAIL PROTECTED] > Subject: Dos Attack [7:7049] > > Hi, > > If there is a machine within my network generating high load of traffic, > how > can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command should > I > use to check? On the catalyst switch which command can I use to find out > port the machine is plugged to? > > Thanks > > Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7051&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dos Attack [7:7049]
Don't know of anyway to tell within the router/switch unless you check the traffic statistics on every single port.. I would love to know of a good way with just the router and switch to do just this... I've always has Sniffer Pro available, and it'll pinpoint your biggest "talkers" in which case you know the MAC address and can check the CAM on the switch to see which port it's connected to. Mike W. "Andy Low" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > If there is a machine within my network generating high load of traffic, how > can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command should I > use to check? On the catalyst switch which command can I use to find out > port the machine is plugged to? > > Thanks > > Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7185&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dos Attack [7:7049]
Andy, 1) Enable IP accounting on the router interface "closest" to the traffic in question. Watch the output of "sh ip account" and you should be able to tell fairly quickly what the originating IP address is of the offending station 2) Now you have the IP, you know which segment the station is on, look at the local router's arp table to determine the MAC address 3) Look at the switch(s) to find the port the MAC is on and then trace to the physical station and investigate Regards, Kent On 4 Jun 2001, at 8:03, Andy Low wrote: > Hi, > > If there is a machine within my network generating high load of > traffic, how can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command > should I use to check? On the catalyst switch which command can I use > to find out port the machine is plugged to? > > Thanks > > Andy > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7233&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Kent, Will IP accounting halt the router given 50Mbps of traffic passing through? regards, andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] Andy, 1) Enable IP accounting on the router interface "closest" to the traffic in question. Watch the output of "sh ip account" and you should be able to tell fairly quickly what the originating IP address is of the offending station 2) Now you have the IP, you know which segment the station is on, look at the local router's arp table to determine the MAC address 3) Look at the switch(s) to find the port the MAC is on and then trace to the physical station and investigate Regards, Kent On 4 Jun 2001, at 8:03, Andy Low wrote: > Hi, > > If there is a machine within my network generating high load of > traffic, how can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command > should I use to check? On the catalyst switch which command can I use > to find out port the machine is plugged to? > > Thanks > > Andy > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7296&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
In my experience, no. I've turned on IP accounting on routers doing hundreds of megabits of traffic with no noticable effects. Course, there are always the potential for bugs/instabilities in the code, but barring this I think you should be fine. Just watch the CPU via "sh proc cpu" before and immediately after turning on IP accounting. If you start seeing the CPU spike very high you can always disable the accounting. HTH, Kent On 6 Jun 2001, at 0:20, Andy Low wrote: > Hi Kent, > > Will IP accounting halt the router given 50Mbps of traffic passing > through? > > regards, > > andy > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: > [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] > > > Andy, > > 1) Enable IP accounting on the router interface "closest" to the > traffic in question. Watch the output of "sh ip account" and you > should be able to tell fairly quickly what the originating IP address > is of the offending station > > 2) Now you have the IP, you know which segment the station is on, look > at the local router's arp table to determine the MAC address > > 3) Look at the switch(s) to find the port the MAC is on and then > trace to the physical station and investigate > > Regards, > Kent > > On 4 Jun 2001, at 8:03, Andy Low wrote: > > > Hi, > > > > If there is a machine within my network generating high load of > > traffic, how can I detect the machine asap? > > > > I have cisco 7507 routers and catalyst 5509 switches. Which command > > should I use to check? On the catalyst switch which command can I > > use to find out port the machine is plugged to? > > > > Thanks > > > > Andy > > Nondisclosure violations to [EMAIL PROTECTED] > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7524&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Kent, Do you know about netflow switching, must I enable that? Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, June 08, 2001 1:05 AM To: [EMAIL PROTECTED]; Andy Low Subject: RE: Dos Attack [7:7049] In my experience, no. I've turned on IP accounting on routers doing hundreds of megabits of traffic with no noticable effects. Course, there are always the potential for bugs/instabilities in the code, but barring this I think you should be fine. Just watch the CPU via "sh proc cpu" before and immediately after turning on IP accounting. If you start seeing the CPU spike very high you can always disable the accounting. HTH, Kent On 6 Jun 2001, at 0:20, Andy Low wrote: > Hi Kent, > > Will IP accounting halt the router given 50Mbps of traffic passing > through? > > regards, > > andy > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: > [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] > > > Andy, > > 1) Enable IP accounting on the router interface "closest" to the > traffic in question. Watch the output of "sh ip account" and you > should be able to tell fairly quickly what the originating IP address > is of the offending station > > 2) Now you have the IP, you know which segment the station is on, look > at the local router's arp table to determine the MAC address > > 3) Look at the switch(s) to find the port the MAC is on and then > trace to the physical station and investigate > > Regards, > Kent > > On 4 Jun 2001, at 8:03, Andy Low wrote: > > > Hi, > > > > If there is a machine within my network generating high load of > > traffic, how can I detect the machine asap? > > > > I have cisco 7507 routers and catalyst 5509 switches. Which command > > should I use to check? On the catalyst switch which command can I > > use to find out port the machine is plugged to? > > > > Thanks > > > > Andy > > Nondisclosure violations to [EMAIL PROTECTED] > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7682&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
