Solved

IP Traffic - Cisco 3560

Posted on 2013-06-30
5
449 Views
Last Modified: 2013-12-14
I have a cisco 3560 device and my uplink port is gig. eth 01 and i have made a mirror port gig. eth 02 .
I have connect this port to a linux computer and try to watch ip traffics with pmacct but it does not create me a real solution. Because we have 2Gbit + traffic and this is so hard to control via mysql and simple softwares.

Is there any solution that i could watch the ip traffics port by port and store them daily / monthly ?
0
Comment
Question by:3XLcom
  • 3
5 Comments
 
LVL 2

Expert Comment

by:NE_Tech_Dude
ID: 39288939
You should be able to use tcpdump for packet capture and filter the data based on ports (1433 I assume) and then have all other traffic basically dropped.
Look into using tcpdump for your sniffer software, and having the data saved off to a file and rotated either by day or by data size.  You may have to write a script to take the files that are saved and rotate them to a secure server.  This should all be pretty simple to do for a mid tier programmer who knows bash / perl / c++ or anything else really.
0
 

Author Comment

by:3XLcom
ID: 39289467
This is not an easy development. there are too many connections to many groupin ... mysql side won't be easy. So i want a ready to use software which is always upgrading
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39302644
"Is there any solution that i could watch the ip traffics port by port and store them daily / monthly ? "
Your current solution captures every single packet, which seems like you're drinking from a firehose.

Another solution might be to use netflow.  Netflow will gather usage statistics and then send the data to a collector where you can analyze the data.

http://en.wikipedia.org/wiki/NetFlow

There are a number of free netflow collectors:

http://sourceforge.net/projects/nnfc/
http://www.networkuptime.com/tools/netflow/
http://www.mindrot.org/projects/flowd/
http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
0
 

Author Comment

by:3XLcom
ID: 39357360
I do not want sth. like this. i got an email today and i want to create a system like it. it founds the ip owner from icann - ripe,iana .. - and sends email for suspicios calls and log them

We received a DDoS attack from 1 or more IPs belonging to your organization.

PLEASE READ THE FREQUENTLY ASKED QUESTIONS BEFORE REPLYING!!!!!!!!!

Time: 2013-07-24-14-54-36 PDT (UTC-7)
(Year-Month-Day-Hour-Minute-Second)

Attacking IP(s):
37.123.96.9

Attacking Port(s): 161,fragmented or portless protocol

Victim IP(s):
108.61.46.52

Log Files:
http://www.skial.com/doslogs/2013-07-24-14-54-36.pcap - PCAP logs http://www.skial.com/doslogs/2013-07-24-14-54-36.log - Text logs

The pcap log file can be opened with Wireshark or Tcpdump.

Please investigate for compromised servers or abusive users. Common problems include:

(1) Port 53 UDP (DNS) - DNS servers should not allow recursion to the public.  They should also be rate limited.

How to disable recursion:
http://www.team-cymru.org/Services/Resolvers/instructions.html

How to rate limit:
http://www.redbarn.org/dns/ratelimits

Tool for seeing other DNS servers on your network:
http://openresolverproject.org

(2) Port 161,162 UDP (SNMP) - SNMP servers should not be open to the public. They are used for configuring network devices and also pose a security issue to your own network.

(3) Port 19 UDP (Chargen) - This feature generates random text and can safely be blocked from the Internet. It is often found on printers.

(4) Any other UDP servers - They should be blocked from the Internet or rate limit requests per IP.

If you are not able to remove or fix the server, we request null routing to our IP if you are not a residential ISP. A list of our IPs can be found here: http://www.skial.com/api/serversrawip.php

If this is the wrong email, please foward it to the correct department. We have tried to locate the correct email through Whois, but unfortunately due to the lack of standardized forms we may have the wrong address.

This email was automatically generated and sent to thousands of attackers so we may not be able to respond to every email.

================ FREQUENTLY ASKED QUESTIONS ========================

- Where are the logs?

Links to the logs are available at the top of the email.

- I only see 1-2 lines from our server, how can this be an attack?

Hackers spread the load among many servers so you do not suspect you are being used. Also because of the size of the attacks we only capture traffic for a brief time and many of the times the attack is larger than our bandwidth. This means it is highly likely you sent more packets than shown in the logs.

- It looks like you are attacking us.

Hackers spoof our IP so your servers reply to us with a much larger packet.  Please read this article to learn about amplified DDOS
attacks:

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

If you look at our packet dump you will see we did not send any packets to your server.

- Where is the port number?

If the port number is not shown, the packet from your IP was either too large and fragmented or it was using a protocol that does not have a port number like ICMP. 

- This looks like a regular DNS query to me?

We do not use any DNS server except Google and OpenDNS.

- We don't have these ports open on our server?

It is highly unlikely these packets were spoofed because the attacker would be wasting bandwidth they could use to amplify bandwidth from another server.

Most of the time the cause is that computer(s) in your network are part of the botnet and are sending packets to an internally available SNMP port. Many firewalls are also accessible through SNMP.

- We already have rate limits and recursion disabled on our server?

Thank you for maintaining your server. It is not possible for us to legally know if your server is rate limited. Even with rate limits the amplification on SNMP and DNS is very high and the traffic is still being used to DDoS us. Protocols like these are fundamentally flawed.

- Can you attach a personally tailored text log with only our IPs?

Because there are thousands of attackers, we use a program to generate these reports and we are unable to customize reports or have the manpower to do it manually.

Some hosts do not accept edited text to be "evidence" because they claim they can easily be faked. Some hosts also refuse to open attachments or are unable to open attachments due to size or company policy.

We have found this configuration to maximize the number of responses over the past year of sending reports like these.

- Can you send 1 email per IP?

No because some networks may have hundreds of attacking IPs, we may get blocked for spam. Several networks have told us they refuse to investigate more than a few emails a time.

- Why did you send to this email? / This is the wrong department.

We use WHOIS to automatically find a contact email based on the ASN of the IP. Unfortunately these records have different layouts and people attempting to obfuscate abuse emails leading our program to choose another email in the record. This makes it very difficult to locate a proper abuse email.

- We do not own this IP / Why do you send reports by ASN?

First check if you are hosting this IP range for a customer.
Most of the time this complaint arises because you do not know your company is hosting IPs for a customer. According to public records you are the ASN responsible for this IP block.

Most of the operators of 2nd or 3rd level ranges do not understand what to do with these reports. We received many questions and were asked to provide support while it is not our job to provide support for your customers. It is ultimately your reponsibility to prevent DDoS attacks from your network.

You can take appropriate measures like informing and/or locking your customers and by this help them clean up their network.
We feel that it is very important that you see what is going on in your network, as every once in a while the customer is not responsible for the problem. Sometimes it is a problem that can only be fixed by you.

Finally it is extremely difficult to get the abuse contacts from the whois servers. All registries have low rate limits and make it impossible to query every single address. Therefore we have to cache based on ASN.

- How do I find out what vulnerabilities my server has?

Use nmap.org to scan your IP for any vulnerabilities listed above.
Simply run "nmap -sU your_ip".

- Why should I do anything?

Being part of a DDoS attack not only drains resources from your network but it can also be a security hazard for yourself for protocols such as SNMP. 

DDoS attacks are also illegal in many countries and knowingly allowing it to continue may hold you liable in a court of law.

Open in new window

0
 

Author Closing Comment

by:3XLcom
ID: 39719114
thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now