cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
991
Views
0
Helpful
7
Replies

DOS attacks

krishna3010
Level 1
Level 1

When a pc in a network is sending a lot of packets to the network, increasing the congestion on network, how to find which pc  is doing that on the network and how to stop that pc. Can some one tell me detail prodedure please

7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

Do you know the IP address of the PC?

no

So how do you know? 

the whole network became slow. stp is fine. I am suspecting some pc sending so many frames and congesting the network. how to find if that is the cause

Find your core router or switch and run "ip accounting".

A PC alone pushing 100% of data could not slow a network.

Are you talking about WAN or LAN?

What is your network topology like?

IF you want to track something down you need to provide either an IP address or a MAC address.  If you don't have either information ... then you are not trying hard enough to get that vital information.

you can also use the interface config command ip route-cache flow for your troubleshooting.

Router(config-if)#ip route-cache flow

Router#show ip cache flow

nkarpysh
Cisco Employee
Cisco Employee

The procedure of mitigation will definitely depends on the symptoms you see. Just few examples:

- Particular interfaces is oversubscribed with traffic and dropping causing congestion.

You can SPAN that interface or check packets in the buffer with "show buffer input-interface INT_NAME". By that you will see which source (MAC ip address) is sending more often. Then you will be able to trace it through your network checking where this MAC/IP is learned  (with show mac and show ip arp commands) until traced to last physical port where it is connected

- Other posibility is High CPU on particular device of the traffic path. Again you can SPAN CPU or get the packets there with "debug netdr capture rx" and then "show netdr capture rx" - non intrusive. Again you will see culprit sending most of the packets and trace it as shown above.

- STP misbihaving. You can check if TCNs are growing with "show spann detail". It will also show you the port causing the TCN - going to the switch connected to that interface you will be able to trace SPAN further similar way.

So more details on what you see when that host is doing DOS attack will help to find the relevant way if mitigation.

Nik,

HTH,
Niko
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: