[mrtg] MRTG or SNMP Oddity

Holt Grendal holtor at yahoo.com
Tue Jan 21 00:21:07 MET 2003 

Hello all,

I'm having a strage problem with our mrtg bandwidth graphs when
sudden spikes (DoS attacks) occur.

Lets say we have our usual 24 port switch. Port 1 is getting
the main feed and there's other servers and what have you connected
to the other ports.

Server A on port 10 gets DoS attacked (>20 mbit spike). The problem
is such:

I see this 20 mbit spike on the graph of port 1 as incomming. However
I never see this 20 mbit spike on the graph of Port 10.

The graph of Port 1 continues to update properly during the DoS attack
however the graph of port 10 (which is receiving the attack) freezes.
By "freezes" I mean the graph updates but uses the same data as
the previous 5 minute run. So for example the mrtg.log would look like:

1042963500 5128 1739 5128 1739
1042963200 5128 1739 5128 1739
1042962900 5128 1739 5128 1739
1042962600 5128 1739 5128 1739
1042962300 5134 1747 6139 2953
1042962000 6140 2965 6322 4774
1042961700 6319 4762 6322 4774

Notice how there was normal traffic paterns  up to 1042962300 then
1042962600 a DoS attack occured and the data just froze until the
attack ended. It doesn't "unfreeze" until the attack ceases.

Now occasionally the graphs display a spike on the output port. For
example during a 20 mbps attack the output graph port might display
a 1 mbps spike or so and then "freeze" up using this data until the
attack ceases.

I thought this was because we have each port graph running as a
seperate config file (because they output the files to seperate
directories) and they run all at the same time, every 0,5,10,15,etc..

So I tried to spread this out by leaving some at 0,5,10, etc..
Some at 1,6,11,16,etc.., some at 2,8,12,18,etc.. but it did not
help either much to my dismay.

Logging into the Cisco switch during the DoS attack and doing
a "show int" on the involved ports clearly shows the attack going
into port 1 and out of port 10, in bits/sec and packets/sec.

I'm beginning to think there is some kind of problem with
SNMP. Does anyone have any ideas or have seen this type of
behavior before?

Thank you,

Holt G.






__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list