From: Sam Munzani (sam@munzani.com)
Date: Wed Aug 27 2003 - 16:59:03 GMT-3
Raj,
We didn't have NetFlow enabled either and Sniffer was only way. Our base
line traffic pattern was 90% HTTP and rest others. Under Nachi attack, we
saw 3 times more ICMP than HTTP in sniffer traces.
Sam
> Hi guys,
>
> Nachi virus stroke my network. My router melted down after the attack.
>
> As such, there are huge no of PC's sitting on the inside interface of the
firewall. the router having the internet link is sitting on the outside
interface of the firewall.
>
> The internal users/servers are connected to the PIX via a 4507 internal L3
switch.
>
> I have identified the traffic coming from inside to outside on port 0800
(icmp type 8 packet) from the patted IP to some arbitarty IPs on internet. I
have blocked icmp on PIX and stabilised the situation.
>
> But I still am not sure, which hosts on the internal network is pushing
this traffic (ie affected with nachi). Am ready to put nachi patches in all
the 500 odd machines,
> but is a bit tough !!!
>
> Is there any way to find the machine pumping this traffic from the switch
? am not able to enable ip route-cache flow or ip accounting on the vlan
interface nor able to enable MLS. Is there any other way to see this
information?
>
> Cheers
> Raj
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:08 GMT-3