[[nsp] Detecting hacked boxes on switch]
Joshua Sahala
joshua.ej.smith at usa.net
Tue Jul 1 12:04:02 EDT 2003
turn on ip accounting/netflow at the upstream router
setup cricket/mrtg/nmis/etc to watch the switches
clear your switch interface counters, check the stats once or twice
an hour, and find the port(s) moving the most traffic (would scale
better with if you scripted it)
span the ports/vlans, and snif the traffic, see what ips are pushing
the most crap...
hth
/joshua
"James hampton" <jamhampton at toast.net> wrote:
> Our bandwidth meters are maxing out on an incoming link to our provider,
this usually means one of our boxes has been hacked and someones pushing a
bunch of mp3's or what ever onto one of our boxes. Most of our servers are
connected to one of two switches, is there anyway I can look at switchport
utilization or some other method on the switch to help narrow down or identify
which box is being hacked?
> James
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
"Walk with me through the Universe,
And along the way see how all of us are Connected.
Feast the eyes of your Soul,
On the Love that abounds.
In all places at once, seemingly endless,
Like your own existence."
- Stephen Hawking -
More information about the cisco-nsp
mailing list