At 03:27 PM 7/5/02, hantu wrote: >List, > > Recently, both ZoneAlarm personal firewalls installed on all windows-based >machines and also on the NIDS, a lot of "protocol 88" traffic has been >recorded.
Protocol 88 seems to be a Cisco-specific protocol: [root@hermes /]# grep 88 /etc/protocols eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco) [root@hermes /]# So I guess the most obvious question first: Do you have any Cisco gear (particularly routers) on your network? Any equipment that was installed prior to all these alerts would be the first thing I'd check; next, I'd check ALL routers (and other 'border' equipment) for signs of a compromised or misconfiguration. I've seen cases where equipment (not Cisco in particular) started literally flooding the network -- most of the network was accessible... but VERY, VERY slow (a 100baseT section was reduced to a few kilobytes/sec of available bandwidth). It turned out to be a configuration problem with a switch or something (I forget exactly what caused it now). May be something similar in your case... Just a thought. - Peter Kristolaitis