There are some great suggestions listed above. There are some approaches such as sticky ports that I really like but I don't know what your policies are about "unknown" devices plugging into your network (AKA Free Love). For some quick understanding of what is going on your network, plug in a computer into your network (segment of your network is up to you) and sniff it out with WireShark. You will start seeing anomalies right away.
Thanks, Gonzalo Cervantes Associate Director, Network Services Barnard College Elliott Hall Lower Level www.barnard.edu/bcit eMail: gcervan...@barnard.edu Tel: 212-854-8795 Fax: 212-854-3606 On Tue, Dec 18, 2012 at 9:14 AM, Kellogg, Brian D. <bkell...@sbu.edu> wrote: > Here are some suggestions: > -Use Cacti to monitor interface in/out bandwidth on all ports in your core. > -You could create rules for each subnet on your network to allow access in > and out on your firewall. This could be managerially time intensive > depending on what you do or do not allow. Then just disable rules one by > one when you see this occurring again to see which subnets are causing the > problem. > -You can do the same thing as the above with named access lists on your > core as well. > -NTop is a opensource tool to get a better view of who is doing what on > your Internet connection or invest in a good mflow or sflow collector. > -The painful way of tracking it down is to look at the is to look at the > input and output rates on all of your interfaces working out from the core > to the edge until you find the offending device(s). > -If you haven't implemented QoS that incorporates mark down policies to > scavenger class throughout your network I would highly recommend doing it. > We mark any edge port's traffic down to scavenger class that exceeds > 10Mbps incoming. > -Take a look at the NetEqualizer or other bandwidth shapers for your Inet > connection to ensure that one or a handful of clients cannot consume your > entire pipe. You could use per-user microflow policing in your core on > your Inet port to do something similar, but not as elegantly as the > NetEqualizer. > > > -Brian > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman > Sent: Tuesday, December 18, 2012 8:47 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: How to locate the source of problematic traffic > > Were you able to identify if it was on-campus or off (Internet)? A good > IPS/IDS at the border (or preferrably, at the core*) would help. Was it > only your wireless network that was impacted, or both (since you posted to > the wireless group)? > > *There is a concept that (I think) Forrester Research published a paper on > like 5 or so years ago called Zero Trust Networking. The idea is to place > the firewall/IDS/IPS at the core instead of the edge, and monitor all > traffic. 10 years ago, security devices weren't robust enough to really do > this economically. The situation is much different now. We've been doing > this for quite a while. Most of the time now, if we have network-wide > problems, it's usually because of human error rather than something > intentional. > > If you haven't posted this to the network group and the problem is > network-wide, you may want to move the discussion there. > > -Brian > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Joann Williamson [ > joa...@usca.edu] > Sent: Wednesday, December 12, 2012 10:17 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] How to locate the source of problematic traffic > > I have found that if you pay for Smartnet on your core switch, then Cisco > TAC will usually help you span ports there that go to the edge switches > which may not all be covered under Smartnet, monitor them, use a packet > capture such as Wireshark, and locate the culprit. That is our SOS plan > when problematic traffic hits campus and isn't an obvious find. > > They can also assist your network engineer in implementing sticky port > which causes users to have to call IT when they need to connect something > new to the network if you don't have a NAC in place. They can help you > with ACLs which can block certain traffic, too. To do an automatic lock, > just shut down the ports on your core using the telnet interface going to > the edge switches one by one, or more than one if you want to do vlan by > vlan. > > If you are looking to monitor your Internet traffic and do some throttling > of certain types of traffic, you may want to look into purchasing a packet > shaping appliance. > > Hope this is the kind of advice you were looking for. > > +++++++++++++++++++++++++++++++++++++++++++++++ > Joann L. Williamson > Director of Network Systems, Architecture, & Infrastructure University of > South Carolina Aiken > phone: 803-641-3473 > http://www.usca.edu<http://www.usca.edu/> > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hernán Badilla > Sent: Wednesday, December 12, 2012 9:48 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] How to locate the source of problematic traffic > > Recently suffered some kind of attack on our network, the internet > connection was nearly 100% saturated. We disconnected several segments of > our network and the symptom stopped. If the situation persists, we need > options, software / hardware to help us identify and locate the origin and > types of problematic traffic, an automatic lock is desirable. In our > institution we have wired and wireless network, all devices Cisco brand. > > We appreciate any suggestions or experience you can share with us. > > > Thanks, Hernan. > > INCAE Business School > Alajuela, Costa Rica. > office +506 24 37 22 75 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
