oh and netflow data of course if you've got it enabled somewhere relevant to the affected area.
On Wed, May 4, 2011 at 9:15 AM, Andrew Wurster <[email protected]>wrote: > *show conn all detail* is a good one. and if you are running > threat-detection you can do *show threat-detection statistics*. this is a > good link too BTW: > > > http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml > > i think show conn and show local-host are my favorites. i think in your > case, the best bet is to craft an interface ACL either on-box or up-stream > if you can. you can also ask your ISP if they have a "clean pipes" solution > that they can help you with right now. this is a service offering where > they can turn on DDOS miitgation technologies like arbor peak flow to > protect their customers. > > cheers, > > andrew > > > awurster-test(config-webvpn)# show conn all detail > 1 in use, 8 most used > Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, > B - initial SYN from outside, b - TCP state-bypass or nailed, C - > CTIQBE media, > D - DNS, d - dump, E - outside back connection, F - outside FIN, f - > inside FIN, > G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, > i - incomplete, J - GTP, j - GTP data, K - GTP t3-response > k - Skinny media, M - SMTP data, m - SIP media, n - GUP > O - outbound data, P - inside back connection, p - Phone-proxy TFTP > connection, > q - SQL*Net data, R - outside acknowledged FIN, > R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside > SYN, > s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, > V - VPN orphan, W - WAAS, > X - inspected by service module > TCP interwebs:10.21.106.175/50853 NP Identity Ifc:10.89.245.12/443, > flags UB, idle 10s, uptime 10s, timeout 1h0m, bytes 0 > > > On Wed, May 4, 2011 at 7:34 AM, Todd Heide <[email protected]> wrote: > >> I'm hoping someone encountered this one before. I actually have it >> happening in real time on a network. >> >> 4 May 04 2011 09:30:49 733100 >> [ HTTP 80] drop rate-2 exceeded. Current burst rate is 5493 >> per second, max configured rate is 8; Current average rate is 9778 per >> second, max configured rate is 4; Cumulative total count is 35202387 >> >> >> Fine and dandy, someone is flooding the ASA with port 80 traffic. But >> WHO? Is there any way on the ASA to find out the IP(s)? >> >> Thanks >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
