theft of bandwidth

ejaj · ‎10-29-2002

I am havingcisco 7505 on which some lease line users are coming and it is connected to gateway. At the gateway BGP is running and users are connected by static routes. I find a big gap between traffic generated and the traffic crossing gateway. This I concluded by doing total of input and output traffic of all users and expecting it to be equal to in/out traffic at gateway plus some overhead. This gap is more than 100%. I wish to know why there is gap between traffic expected and traffic observed. Additionaly one lease line user is constantly complaining slow access. He doesn't have load on its interface either.

If there is some DoS attack, or some other attcak, can I detect it and take corrective action.

---ejaj

vanwijk · ‎10-30-2002

Hello,

Do you have the right 'bandwidth' configured on that Interface ??

Edwin van Wijk

ejaj · ‎10-30-2002

I didn't define any BW and threrfore I assume BW obtained is controlled by modem BW spec and BW of serial line.

---ejaj

warren · ‎10-30-2002

You didn't provide very much detail, so I am making various assumptions (eg You are runnig BGP with 2 different providers, etc)

There are multiple things that could be causing this. If your total traffic is very low, then just the standard BGP updates could account for this, but this is very unlikely. What sorts of numbers are we talking about here? There are many other things that could be causing this, some of which are below:

Is it possible that one of your providers is pushing traffic to the others through your router (either because you are leaking routes or because they have statics pointing at you)?

Is is possible that you are just seeing standard port-scans and probes? Are you getting lots of packets that you are dropping because you do not have a full route for? Routing your aggregate to Null and making sure you have more specifics for space that is being used will allow you to easily check this (and is a good general practice).

The best way to find this is going to be by exporting NetFlow data and seeing the types of traffic that you are getting and making sure that that looks sane. You could also achieve the same result by having ACL's that permit various (eg permit tcp any any eq 80, permit tcp any any eq 25, permit ip any any) and then seeing how many hits each line in the ACL gets.

ejaj · ‎10-30-2002

Will you kindly explain more. I didn't get you

---ejaj

warren · ‎10-31-2002

OK... If you provide more detail about the design, this would be alot easier. From what I understand you have a router with presumably 2 connections to upstreams ("outfacing") as you are running BGP, and some "infacing" connections to clients. Your outfacing bandwidth exceeds your infacing bandwidth and you are trying to figure out why... If you provide some numbers so we have some ideas of the amount of fraffic we are talking about here, it will be easier to provide useful answers (if the sum of your infacing bandwidth is 100k and the sum of your outfacing bandwidth is 200k that is very differant to 100Mb and 200Mb!). Also, if you provide more info on the size of the address space "behind" the router that would be good (if you are announcing a /17, you will be getting LOTS more backscatter and portscan traffic than if you are announcing a /29!).

Some ways that you can start dealing with this are to install cflowd (free from CAIDA ) or some other NetFlow software (avail. from cisco and others) and then making the router export flows. You can then dump the flows and see what types of traffic you are getting and from where and to where (eg: from 1.2.3.4 to 2.3.4.5, port 21, 80000bytes). More data on setting up netflow is available here:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62e.html

Having this data available is REALLY usefull for all sorts of things, like long-term trending, provider selection, DoS detection and mitigation, general debugging, etc.

If you don't want to deal with all of this, there are some other ways to deal woth this. The easiest is probably going to be setting up ACL's that log traffic, either to a syslog server or just into the buffer. For example:

ip access-list ex Boop

permit ip any any log

int

ip access-group Boop in

ip access-group Boop out

and then looking through the logs (sho log) to see what traffic is matching. Keep in mind that this does generate extra load on the router so don't leave the ACLs in place too long. This will give you a good idea of what traffic is entering and leaving . From looking at this and comparing it to that you are expecting to see on the interface you should be able to determine what the traffic is.

Also, you say that you are running BGP. This implies 2 upstreams. You can make sure that you are not leaking routes (and becomming transit between providers!) by doing:

sho ip bgp nei advertised

and making sure that you are only announcing the correct space.

Some other tools to deal with this are:

sho cef drop (assuming that you are running CEF!)

sho int acc

Turning on IP accounting (here is a link on how:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800b3dda.html) will also give you lots of detail, but opens another whole can of worms!

If you are still having problems, please give more detail about the architechure, etc.