12-11-2003 04:13 AM - edited 03-02-2019 12:17 PM
My organisation is connected to the internet via a 64 k dataline. I use network address translation(NAT) and access list on my router to map internal ip addresses to the outside and give staff access to the internet. The problem is that internet traffic seems to be at pick all the time despite the number of computers accessing the internet. I suspect that some computers are sending traffic continuously to the internet. So, is there a way of detecting which ip addresses or which computers are sending this traffic? Can spam increase the amount of traffic in such magnitude? If so is there a way of blocking spam on the router or which ever? Is there anything I need to take into consideration to control traffic flow on my router interface before it goes out to the internet
12-11-2003 08:39 PM
Hi,
Depending on the number of computers on your LAN, the 64K line could easily become saturated.
One command that I have found helful to determine which systems are send or receiving the most traffic is the "ip accounting" interface command.
For example:
interface ser0/0
ip accounting
Then wait about a minute and do a "show ip accounting". Depending on how you have NAT setup (i.e.one to one, or one to many) you may get different results.
This command has been helpful to me in detecting the Nachi virus. If I do a "show ip accounting" and see a system sending 1 packet that is 92 bytes to various systems, then I can deduce it probably has the Nachi virus.
I hope this helps,
Thanks
12-17-2003 11:54 AM
If you happen to have a Cisco router with the proper IOS you can show the IP flows.
To do this do the following:
In interface mod(the interface that your computers are on) issue the IP ROUTE-CACHE FLOW command.
Exit from interface and config mode and issue the following command: SHOW IP CACHE FLOW
This will show you any active flows and may help determine what devices are using your bandwidth.
Hope this helps.
Regards,
Dave
12-17-2003 03:58 PM
You could also create an IP extended access-list that permits and logs all kinds of IP traffic. Then, you could either do a "show log" command periodically, to see what kind of traffic it is and who's sending it; or, if you're logging to a Syslog server, you can just review the accumulated logs there.
I use it as a crude intrusion detection system. Some of the things I look for: machines trying to connect to Microsoft networking ports 135, 137, 138, 139, 445, on subnets where no such computers exist. Or machines doing ping sweeps. Or machines attempting to connect to Microsoft SQL Server ports 1433 or 1434, where no SQL Server system exists. All of which are symptoms of some of the more recent worms (Nachi, Blaster, SQL) that have gone around the Internet.
If the source IP address of this traffic is on one of my networks, that machine gets cut off from Internet and intranet access until it can be cleaned.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide