Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network traffic is saturated going outbound....

Status
Not open for further replies.
NetOpsTech

NetOpsTech

MIS
Aug 1, 2003
73
US

I am trying to find the source or sources of why my network traffic is saturated going outbound.

I set up a syslog server and have my pix sending it type 6 info alerts. I found some obvious problems and patched the pc's but that did not solve my problem.

I have also been running a sniffer (sniffer4.5 & ethereal) but Ido not see anything obivous there either.

What should I be looking for specifically? Any one have any filters set up for ethereal that they would like to share?

 
Sort by date Sort by votes
I have two PIX to syslog logs that I looked thorough, But this time I used firewallanalyzer to do a report based on syslog data. Here is what I found:

12/4 12:33pm -2:18pm:

106011 No routing to arrival interface. event count 124426 38.45%
302013 Built TCP connection event count 84424 26.09%
106015 Deny TCP no connection established. event count 67932 20.99%
305011 TCP UDP ICMP Address Translation slot created. event count 33707 10.42%
302015 Built UDP connection event count 10883 3.36%
106023 Deny IP packet by access-list. event count 1884 0.58%
305005 Translate group not found. event count 192 0.06%
110001 No route.event count 54 0.02%
609001 event count 33 0.01%
305009 Address Translation slot created. event count 24 0.01%

Patched all the 106011 PC with latest security patched from Microsoftand the error event went away. I didn't know whatto make of the 106015 events because they were from different PC's.


12/5 every 30 min starting at mindnight to 6 am:

106015 Deny TCP no connection established. event count 87481 75.67%
302013 Built TCP connection event count 11310 9.78%
302015 Built UDP connection event count 5048 4.37%
305011 TCP UDP ICMP Address Translation slot created. event count 3854 3.33%
305012 Teardown TCP UDP ICMP Address Translation slot. event count 3830 3.31%
106023 Deny IP packet by access-list. event count 3587 3.10%
305005 Translate group not found. event count 380 0.33%
110001 No route. event count 60 0.05%
302010 TCP connections in use. event count 21 0.02%
609002 Network state container for the host IP address connected to interface name is removed. event count 13 0.01%


A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's.
 
Upvote 0 Downvote
"A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's."

Whoa... Sounds like a DOS attack to me. You can try shunning those 10 ips and seeing if it helps. Type "shun xxx.xxx.xxx.xxx" and it will stop all traffic in or out to that IP. You'll have to manually remove them when you want by using a clear shun or no shun command.

Check out to be sure that you have ip audit turned on for your outside interface too. That will detect TCP SYN attacks, and drop them.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
252
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
287
acabezas2014
acabezas2014
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
191
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
585
nnaarrnn
nnaarrnn
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
531
MottoK
MottoK

Part and Inventory Search

Sponsor

Back
Top