Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

DOS attacks

When a pc in a network is sending a lot of packets to the network, increasing the congestion on network, how to find which pc  is doing that on the network and how to stop that pc. Can some one tell me detail prodedure please

Leo Laohoo
VIP Community Legend

Do you know the IP address of the PC?


Leo Laohoo
VIP Community Legend

So how do you know? 

the whole network became slow. stp is fine. I am suspecting some pc sending so many frames and congesting the network. how to find if that is the cause

Leo Laohoo
VIP Community Legend

Find your core router or switch and run "ip accounting".

A PC alone pushing 100% of data could not slow a network.

Are you talking about WAN or LAN?

What is your network topology like?

IF you want to track something down you need to provide either an IP address or a MAC address.  If you don't have either information ... then you are not trying hard enough to get that vital information.

you can also use the interface config command ip route-cache flow for your troubleshooting.

Router(config-if)#ip route-cache flow

Router#show ip cache flow

Cisco Employee

The procedure of mitigation will definitely depends on the symptoms you see. Just few examples:

- Particular interfaces is oversubscribed with traffic and dropping causing congestion.

You can SPAN that interface or check packets in the buffer with "show buffer input-interface INT_NAME". By that you will see which source (MAC ip address) is sending more often. Then you will be able to trace it through your network checking where this MAC/IP is learned  (with show mac and show ip arp commands) until traced to last physical port where it is connected

- Other posibility is High CPU on particular device of the traffic path. Again you can SPAN CPU or get the packets there with "debug netdr capture rx" and then "show netdr capture rx" - non intrusive. Again you will see culprit sending most of the packets and trace it as shown above.

- STP misbihaving. You can check if TCNs are growing with "show spann detail". It will also show you the port causing the TCN - going to the switch connected to that interface you will be able to trace SPAN further similar way.

So more details on what you see when that host is doing DOS attack will help to find the relevant way if mitigation.