Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
1
Replies

Regarding security issue

Madhan Kumar
Level 1
Level 1

‎03-27-2011 09:50 PM - edited ‎03-09-2019 11:27 PM

Hi All,

One of my client hosted three FTP servers in a datacenter environment. Out of three servers one is a backup FTP server, if the primary FTP server is failed the users can access the back up server.These three servers in DMZ zone of the ASA 5510. My client is a printing and image processing company, and the users across the world can access these servers for image viewing. These three servers are connected to a 2mbps-100 mbps bursted line whenever the usage is high it can negotiate the pipe bandwidth accordingly. The limitage of use is 100GB

Recently what happend is, the ISP provider given a usage bill for 1300GB in two months, which is never happened in last two and half years. And the tricky part is, the detailed bill is showing that the back up server utilization is more than 1200 GB. The back up FTP server contains  windows 2003  OS and 60 gb of hard disk space( A desktop PC only). The noted point is if only the primary server fails the administrator has to give the back up FTP address to the users. But all the primary servers are working fine.

In the log viewer of the back up server showing that somebody tried to access ftp server and tried to logon continuously using different different logon credentials. But log shows all the login attemts are failed. Then how come this server can consume this much of bandwidth?.

If there is any attack on the server?. The ASA is configured some third party vendor and seems not configured properly. Is there anyway to find out the bandwidth usage of the server?. Can I findd out if there is any attack or malware causing this problem?. Or the ISP is doing wrong?.

This case came to me and last three days I am trying to figure it out. Would you please anyone can suggest and find a solution for this. I have to give the report for the root cause of this problem soon.

Thank you

Madhankumar

India.

Labels:
0 Helpful
1 Reply 1

mwinnett
Level 3
Level 3

‎04-07-2011 04:19 AM

Do you have the syslog for the period in question ? If so, at what logging level ? You could trace the ftp attempts to find out how much b/w is used per attempts and use that as meaure of the bandwidth used.

Assuming that nothing has changed, put a trace omn the outside interface of the ASA and see what traffic is going to the ISP.

Matthew

0 Helpful
Customers Also Viewed These Support Documents