[nsp] Detecting hacked boxes on switch
Christopher McCrory
chrismcc at pricegrabber.com
Tue Jul 1 09:07:34 EDT 2003
Hello...
On Tue, 2003-07-01 at 06:27, James hampton wrote:
> Our bandwidth meters are maxing out on an incoming link to our provider, this usually means one of our boxes has been hacked and someones pushing a bunch of mp3's or what ever onto one of our boxes. Most of our servers are connected to one of two switches, is there anyway I can look at switchport utilization or some other method on the switch to help narrow down or identify which box is being hacked?
> James
Not quite what you are asking for, but I use Intermapper
http://intermapper.com/ to monitor realtime bandwidth utilization. You
can , at a glance, see that all the servers/routers are working and how
much bandwidth they are using. There are also cisco specific probes to
catch line errors and high CPU utilization. Once you know what is
'normal', it is easy to see what is not. e.g. overloaded/underloaded
server or bgp balance out of whack.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc at pricegrabber.com
http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.
More information about the cisco-nsp
mailing list