*show conn all detail* is a good one. and if you are running threat-detection you can do *show threat-detection statistics*. this is a good link too BTW:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml i think show conn and show local-host are my favorites. i think in your case, the best bet is to craft an interface ACL either on-box or up-stream if you can. you can also ask your ISP if they have a "clean pipes" solution that they can help you with right now. this is a service offering where they can turn on DDOS miitgation technologies like arbor peak flow to protect their customers. cheers, andrew awurster-test(config-webvpn)# show conn all detail 1 in use, 8 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, n - GUP O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, X - inspected by service module TCP interwebs:10.21.106.175/50853 NP Identity Ifc:10.89.245.12/443, flags UB, idle 10s, uptime 10s, timeout 1h0m, bytes 0 On Wed, May 4, 2011 at 7:34 AM, Todd Heide <[email protected]> wrote: > I'm hoping someone encountered this one before. I actually have it > happening in real time on a network. > > 4 May 04 2011 09:30:49 733100 > [ HTTP 80] drop rate-2 exceeded. Current burst rate is 5493 > per second, max configured rate is 8; Current average rate is 9778 per > second, max configured rate is 4; Cumulative total count is 35202387 > > > Fine and dandy, someone is flooding the ASA with port 80 traffic. But > WHO? Is there any way on the ASA to find out the IP(s)? > > Thanks > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
