[nsp] Detecting hacked boxes on switch
jlewis at lewis.org
jlewis at lewis.org
Tue Jul 1 11:23:41 EDT 2003
On Tue, 1 Jul 2003, James hampton wrote:
> Our bandwidth meters are maxing out on an incoming link to our provider,
> this usually means one of our boxes has been hacked and someones pushing
> a bunch of mp3's or what ever onto one of our boxes. Most of our servers
> are connected to one of two switches, is there anyway I can look at
> switchport utilization or some other method on the switch to help narrow
> down or identify which box is being hacked?
Yeah...depending on the type of switch, you may be able to log in and do a
show interfaces to see how much traffic each port is doing. You're not
graphing each port via SNMP?
You could also possibly use ip accounting on your router. Just add "ip
accounting output" to the interface the traffic is going out (as it goes
through your router). Then have a look at show ip accounting.
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list