The best way to trace where traffic is coming from / going to is to use something like netflow which will cost money at least for someones time to implement. Another approach is to graph all interfaces of router/firewalls/switches/servers with MRTG, Cacti or similar. Look at the interfaces and attempt to trace the traffic that way. Otherwise it can be difficult and you can only investigate while the traffic is happening.
On the the Cisco ASA firewalls these commands can help
If mem and CPU are not high then its probably not a DDOS attack
show cpu
show memory (lots of connections use memory, how much does your device normally use)
show xlate count (to see number of translations a high number like XXXXX would be there during an attack)
show conn count (every connection creates a conn entry in memory to enable stateful inspection)
show traffic (will show which interface has more traffic)
You can paste the output of sh conn into this and get results.
Good for finding top talkers
http://www.tunnelsup.com/cisco-asa-show-connections-analyzer/
You will need to set scroll back line\s in putty to 20000
show local-host | incl host|count|embryonic
Legend for the output
local host : Local IP of station in LAN
conn(s)/limit : number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit : number of embryonic (half-open) connections to this IP and their limit
Look for the host with the most connections in count/limit
show loacl-host 10.5.10.20 (for more info on that host)
Scroll through and see the IP addresses its connecting to. You can look the IP's up in something like http://mxtoolbox.com/ maybe this will give you a clue to the cause of the traffic. If you don't see the same IP appearing a lot then it could just be lots of internet traffic.
Another approach is to run the two following commands
show int | i 5 minute input rate
show int | i 5 minute output rate
Look for the highest then change the i for a b
Find the interface that has all the traffic passing through it
show int ip brief (to see a summary of the interfaces)
show int gi0/2 (to see more detail on a specific interface)sh
On Cisco switches use the following commands:
show int | i 5 minute input rate
show int | i 5 minute output rate
show int summary (show a summary of the interfaces)
show mac address-table (see what mac addresses are on what ports)
show arp (see what IP addresses are linked to mac addresses)
You can use this page to look up mac addresses (http://www.coffer.com/mac_find/)
Consider a netflow connector
https://www.manageengine.com/products/firewall/cisco-asa-netflow-log-analysis.html
Warning Netflow can tax the CPU further and cause the ASA to crash be careful
Might be worth a read
https://community.spiceworks.com/topic/144272-traffic-analysis-bandwidth-for-cisco-asa
No comments:
Post a Comment