Were you able to identify if it was on-campus or off (Internet)? A good IPS/IDS at the border (or preferrably, at the core*) would help. Was it only your wireless network that was impacted, or both (since you posted to the wireless group)?
*There is a concept that (I think) Forrester Research published a paper on like 5 or so years ago called Zero Trust Networking. The idea is to place the firewall/IDS/IPS at the core instead of the edge, and monitor all traffic. 10 years ago, security devices weren't robust enough to really do this economically. The situation is much different now. We've been doing this for quite a while. Most of the time now, if we have network-wide problems, it's usually because of human error rather than something intentional. If you haven't posted this to the network group and the problem is network-wide, you may want to move the discussion there. -Brian ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Joann Williamson [[email protected]] Sent: Wednesday, December 12, 2012 10:17 AM To: [email protected] Subject: Re: [WIRELESS-LAN] How to locate the source of problematic traffic I have found that if you pay for Smartnet on your core switch, then Cisco TAC will usually help you span ports there that go to the edge switches which may not all be covered under Smartnet, monitor them, use a packet capture such as Wireshark, and locate the culprit. That is our SOS plan when problematic traffic hits campus and isn’t an obvious find. They can also assist your network engineer in implementing sticky port which causes users to have to call IT when they need to connect something new to the network if you don’t have a NAC in place. They can help you with ACLs which can block certain traffic, too. To do an automatic lock, just shut down the ports on your core using the telnet interface going to the edge switches one by one, or more than one if you want to do vlan by vlan. If you are looking to monitor your Internet traffic and do some throttling of certain types of traffic, you may want to look into purchasing a packet shaping appliance. Hope this is the kind of advice you were looking for. +++++++++++++++++++++++++++++++++++++++++++++++ Joann L. Williamson Director of Network Systems, Architecture, & Infrastructure University of South Carolina Aiken phone: 803-641-3473 http://www.usca.edu<http://www.usca.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hernán Badilla Sent: Wednesday, December 12, 2012 9:48 AM To: [email protected] Subject: [WIRELESS-LAN] How to locate the source of problematic traffic Recently suffered some kind of attack on our network, the internet connection was nearly 100% saturated. We disconnected several segments of our network and the symptom stopped. If the situation persists, we need options, software / hardware to help us identify and locate the origin and types of problematic traffic, an automatic lock is desirable. In our institution we have wired and wireless network, all devices Cisco brand. We appreciate any suggestions or experience you can share with us. Thanks, Hernan. INCAE Business School Alajuela, Costa Rica. office +506 24 37 22 75 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
