10-18-2002 01:26 PM - edited 03-02-2019 02:12 AM
We have some 2900xl switches, the main link is set to 100Mbytes/s and servers links are setup to 10Mbytes/s and during a DDOS using fragmented packets. During a DDOS attack, the MRTG stats on the workstations ports (10Mbytes limited on switch using the speed command) went up to ~90Mbytes by peaks.
How it is possible to exceed the speed limit? When we tried to spray for testing, we couldn't go over 10Mbytes/s.
Anyone experience this? Is it possible to bypass the 10Mbytes/s limit on one port?
Regards.
F.
10-18-2002 02:54 PM
Two obvious points but need to be asked:
-The port is indeed set to 10mbs (do a show port x/x)
-MRTG is set to bits, not bytes - In your mrtg.cfg file, is your MaxBytes[xxxxx]: 125000 or 1250000 (ethernet) or 12500000 (fast)? Are you using the "Options[xxxx]: bits"?
There is a free app called Qcheck (from NetIQ) that can measure the throughput on a link. Download it and try what it says.
If the port is 10Mbs and mrtg is set up correct, it is strange. It's not possible to exceed the practical limits - ie you can't get 110mbs on a 100Mbs link, but I guess it would be possible to get more from a 10Mbs switch port through a internal error or bug as the port and cable can go up to 100Mbs - but I haven't heard of that before.
Steve
10-21-2002 01:09 PM
Sorry, all my post is in bytes, it's bits.
The ports are indeed set up to 10Mbps and traffic was going up to 90Mbps
In mrtg config files, you have both
- Options[_]: bits
- MaxBytes[IP_Port]: 12500000
Thanks for helping.
F.
10-21-2002 03:05 PM
That's it then. Change your MaxBytes to 1250000 and you will be fine. MRTG thinks your port is 100Mbs, so it reports it as 90Mbs. Make the port 10Mbs and it will report traffic correctly as 9Mbs.
Steve
10-22-2002 08:40 AM
We made the following test.
Ping flood over 17Mbps
MaxBytes at 1250000, mrtg graph toping at 9.9Mbps
MaxBytes at 12500000, mrtg graph also toping at 9.9Mbps
So it's not a scale problem on MRTG.
During the attack that was against one host, all the ports were flooded like if the switches was behaving like a hub (forgetting the mac?).
any idea?
Thanks.
F.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide