[mrtg] RES: MRTG or SNMP Oddity

ylf ylf at uol.com.br
Tue Jan 21 02:12:12 MET 2003 

Hi All;  Holt:

in your cfg file, are you using the option[]: unnknaszero ?
what says 'snmpget commun at switch trafficbwoid' in the moment of the
attack ?

maybe* the 'dos' attack generates that bandwidth usage.

any words are appreciated.

be seeing you,

Yuri

-----Mensagem original-----
De: mrtg-bounce at list.ee.ethz.ch [mailto:mrtg-bounce at list.ee.ethz.ch] Em
nome de Holt Grendal
Enviada em: segunda-feira, 20 de janeiro de 2003 21:21
Para: mrtg at list.ee.ethz.ch
Assunto: [mrtg] MRTG or SNMP Oddity



Hello all,

I'm having a strage problem with our mrtg bandwidth graphs when sudden
spikes (DoS attacks) occur.

Lets say we have our usual 24 port switch. Port 1 is getting the main
feed and there's other servers and what have you connected to the other
ports.

Server A on port 10 gets DoS attacked (>20 mbit spike). The problem is
such:

I see this 20 mbit spike on the graph of port 1 as incomming. However I
never see this 20 mbit spike on the graph of Port 10.

The graph of Port 1 continues to update properly during the DoS attack
however the graph of port 10 (which is receiving the attack) freezes. By
"freezes" I mean the graph updates but uses the same data as the
previous 5 minute run. So for example the mrtg.log would look like:

1042963500 5128 1739 5128 1739
1042963200 5128 1739 5128 1739
1042962900 5128 1739 5128 1739
1042962600 5128 1739 5128 1739
1042962300 5134 1747 6139 2953
1042962000 6140 2965 6322 4774
1042961700 6319 4762 6322 4774

Notice how there was normal traffic paterns  up to 1042962300 then
1042962600 a DoS attack occured and the data just froze until the attack
ended. It doesn't "unfreeze" until the attack ceases.

Now occasionally the graphs display a spike on the output port. For
example during a 20 mbps attack the output graph port might display a 1
mbps spike or so and then "freeze" up using this data until the attack
ceases.

I thought this was because we have each port graph running as a seperate
config file (because they output the files to seperate
directories) and they run all at the same time, every 0,5,10,15,etc..

So I tried to spread this out by leaving some at 0,5,10, etc.. Some at
1,6,11,16,etc.., some at 2,8,12,18,etc.. but it did not help either much
to my dismay.

Logging into the Cisco switch during the DoS attack and doing
a "show int" on the involved ports clearly shows the attack going into
port 1 and out of port 10, in bits/sec and packets/sec.

I'm beginning to think there is some kind of problem with
SNMP. Does anyone have any ideas or have seen this type of behavior
before?

Thank you,

Holt G.






__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/1/2003
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/1/2003
 

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list