Hi All; Holt: in your cfg file, are you using the option[]: unnknaszero ? what says 'snmpget [EMAIL PROTECTED] trafficbwoid' in the moment of the attack ?
maybe* the 'dos' attack generates that bandwidth usage. any words are appreciated. be seeing you, Yuri -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Holt Grendal Enviada em: segunda-feira, 20 de janeiro de 2003 21:21 Para: [EMAIL PROTECTED] Assunto: [mrtg] MRTG or SNMP Oddity Hello all, I'm having a strage problem with our mrtg bandwidth graphs when sudden spikes (DoS attacks) occur. Lets say we have our usual 24 port switch. Port 1 is getting the main feed and there's other servers and what have you connected to the other ports. Server A on port 10 gets DoS attacked (>20 mbit spike). The problem is such: I see this 20 mbit spike on the graph of port 1 as incomming. However I never see this 20 mbit spike on the graph of Port 10. The graph of Port 1 continues to update properly during the DoS attack however the graph of port 10 (which is receiving the attack) freezes. By "freezes" I mean the graph updates but uses the same data as the previous 5 minute run. So for example the mrtg.log would look like: 1042963500 5128 1739 5128 1739 1042963200 5128 1739 5128 1739 1042962900 5128 1739 5128 1739 1042962600 5128 1739 5128 1739 1042962300 5134 1747 6139 2953 1042962000 6140 2965 6322 4774 1042961700 6319 4762 6322 4774 Notice how there was normal traffic paterns up to 1042962300 then 1042962600 a DoS attack occured and the data just froze until the attack ended. It doesn't "unfreeze" until the attack ceases. Now occasionally the graphs display a spike on the output port. For example during a 20 mbps attack the output graph port might display a 1 mbps spike or so and then "freeze" up using this data until the attack ceases. I thought this was because we have each port graph running as a seperate config file (because they output the files to seperate directories) and they run all at the same time, every 0,5,10,15,etc.. So I tried to spread this out by leaving some at 0,5,10, etc.. Some at 1,6,11,16,etc.., some at 2,8,12,18,etc.. but it did not help either much to my dismay. Logging into the Cisco switch during the DoS attack and doing a "show int" on the involved ports clearly shows the attack going into port 1 and out of port 10, in bits/sec and packets/sec. I'm beginning to think there is some kind of problem with SNMP. Does anyone have any ideas or have seen this type of behavior before? Thank you, Holt G. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 10/1/2003 --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 10/1/2003 -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
