Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Interpret this netflow graph

Status
Not open for further replies.
vortmax

vortmax

Technical User
Aug 1, 2006
46
US
My company is running several CMTS's (cable modem head ends) at different properties around the US. We feed in a T1 connection through a firewall then into the CMTS which dishes out the service to the residents. We've been having bandwidth issues at one property, so I set up SNMP monitoring and pulled this graph off from last night

2cfskxt.jpg


Green is inbound and the blue line is outbound. How do you all read this? I'm seeing a DOS attack between 6 and 8, but am not sure what to make of the elevated outbound traffic later on. Any thoughts?
 
Sort by date Sort by votes
Thats not a DOS, you are merely running out of bandwidth. How many people do you have behind the t1?
 
Upvote 0 Downvote
There are only 27 people behind the T1 and they are capped to:

I just double checked the QOS settings and it appears they were reset to the defaults:

10 Mbps down
2 Mbps up

Which I guess would explain running out of bandwidth.

Still don't understand why the outbound traffic would so much higher then the inbound for most of the day.
 
Upvote 0 Downvote
Are you sure you've got the inbound and outbound set from the end users' perspective?



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
Yea. Those are the subscriber QOS settings in the CMTS, so that's what is being applied to each cable modem that syncs with the CMTS.
 
Upvote 0 Downvote
Is there some action on their machines that occur at this time, maybe a batch transfer, back up, etc?


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
no, this isn't a buisness network. It's a residential cable network. So there is a very high probability that at least one computer on the network is infected with something. We do have it firewalled, which blocks a lot of stuff, but it is mostly in place to keep the CMTS and other head end equipment safe.
 
Upvote 0 Downvote
The timeline is pretty defined, I would look for an automated download or update process.
 
Upvote 0 Downvote
Probably some guy sharing mp3s on bittorrent or kaza or some other p2p application.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
97
GeorgeAlba
GeorgeAlba
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
86
ChrisHirst
ChrisHirst
DrLagos
  • Locked
  • Question
Inherited this mess...please help 1
Replies
5
Views
90
ADB100
ADB100
arcolino
  • Locked
  • Question
enable netflow on cisco pix 525
Replies
3
Views
35
arcolino
arcolino
Kooch
  • Locked
  • Question
How is this being accomplished? Outgoing NAT question. 1
Replies
1
Views
37
Dinkytoy
Dinkytoy

Part and Inventory Search

Sponsor

Back
Top