Hello there,

This is a networking question from me, a novice at network administration.

I had a case a few days back when everyone in my office had VERY VERY slow connection to the internet as well within our network.
I checked everything I knew but all seemed normal. I then began asking better-skilled network experts as to the cause of my office network situation. They asked me to check if anyone in the network was "jamming the network" or if anyone was
"sending out D-o-s packets". These people stopped short of telling me how I was to perform those checks.

So, my questions:
1) How do I check and benchmark my network traffic?
2) How do I check if any machine (or any IPs) were indeed "jamming my network" or "sending out D-o-s packets", or anything else that may have caused the slow down?
3) What tools do I need to perform the above?

FYI, I am running an NT 4 Server with Win98, ME, XP and Mac clients.

Please offer some advise.

Couple things you can do. One is, if your the network admin you should be running Network Monitor Link (http://support.microsoft.com/default.aspx?scid=kb;en-us;243270)

If you think that something is happening on your network use a packet sniffer, like Ethereal. Learn how to use it, you can do real time monitoring of packets going past the NIC. You can see who is sending what, very useful. Ethereal (http://www.ethereal.com/)

DoS is Denial of Service, it usually involves ICMP ping echo requests, but there are variations that use ARP,UDP DNS requests, etc, look here for info on attacks CERT (http://www.cert.org/) You can stop these a few ways, one is your network should be behind a firewall. With a firewall you can control what enters your network. Your going to have to do your homework on this. Setting up good hardware firewalls can be done several ways, it depends on how big your network is and how much bandwidth you use and how much you want to spend. Cheapest way to do it is a linux box set up as a firewall. Linux firewall/router (http://www.networkcomputing.com/unixworld/tutorial/013/013.part2.html)

If you have machines internal to the network infected with a virus or exploit that is causing your DoS problems you should think about Anti Virus. The best way to do it on a network is with server side AV, like Norton corporate edition. You should also seriously consider dumping NT and the 98 boxes and upgrding the OS's. At least upgrade the servers.


Patch's Windows Bulletins (http://www.microsoft.com/technet/security/default.mspx)
If you are the Admin you should stay on top of all patches for the OS's (I don't know if they still patch NT). Try them on the least critical server first, then patch the others one at a time. Blindly patching everything can cause you serious headaches and downtime. I would also not patch the first day they come out. Your first defense against attacks is know how the attacks happen, so get started on catching security bulletins.

This is enough information to get you started, learning everything you need to know to protect your LAN will take some serious study.

Variable

well learning everything you need to know to protect a network is well impossible even the best security people will not guarantee 100% secure. What is your infrastructure equipment? do you have a firewall and what is it? what type of routers and switches or hubs. If you have switches ethereal isnt gonna do much except pick up broadcasts unless you enable port mirroring ( using arp poisoning on a network that is getting attacked would not be a very good idea hehe) . If you have managed switches/routers look at their processor and memory utilization as well as the port info (ie.. packets in and out) this will give you a good idea what machines if any are generating large amounts of traffic then port mirror the port and sniff it to see if it is infact generating legit traffic. also look for CRC or framng errors on the ports. well ill save getting to detailed untill you give more info on what you are using.

Juniper, many DoS attacks use broadcasts. Many virus's use broadcasts to find other machines to infect. If you were going to do network monitoring I would think you would hook up a machine on the router as a network monitor. That brings up SNORT. Which is a great program. Either way, packet sniffers are a great tool for monitoring your network, switch or no switch, or hooked up behind the firewall- it's a vital tool.

Variable

since you directed a comment my way, I think you need to learn about sniffing in a switched network. Im curious as to which virus useses broadcasts to find other machines, name one that is common? I know its not nachi, welchia, or sqlslammer these generate random directed IP addresses to attack and are not broadcasts and will drop a network to its knees ( your sniffer on a switched network is useless here whether its SNORT,observer, Ethereal or a multitude of others) , most common effect will be the router complaining of memory errors or high CPU usage on the interface to the internet. Yes I have found these viruses in many networks by putting a sniffer infront of the internet router ( using port mirroring ) and or using the routers and switches themselves like on the cisco using netflow or mls then creating ACL to mitigate the issue while the PCs are getting cleaned. a sniffer like ethereal on his PC would not find these viruses in a switched network. As for DoS attacks they can be anything most however are not broadcasts they are distributed SYN attacks against a host, directed broadcast storms are not that common anymore since cisco made it the default in version 12.0 of its IOS to block directed broadcasts as well on your switches you should use broadcast storm control between them. ( you dont learn this stuff in your CCNA class hehe ). Most people also dont understand that most firewalls act alot different then the others in what they can and cant do that is why specifics on the firewall are needed as some like the PIX has IDS built in that will detect some of this. Thats if a firewall even exists in this case. Oh and how do you hook in a machine to the router? I would think you would hook up a machine on the router as a network monitor.

To be more detailed this is a list of the most common exploits/attacks....

CGI scripts
CGI scripts consist of server-side programs which generate Dynamic web sites. A typical CGI is be formmail.cgi, which allows users to send e-mails to the website administrator without making use of an e-mail client. Other attacks that make use of CGI scripts include Cross Site scripting, SQL command injection, and Path traversal.
Web server attacks
Many times the web server itself could have security holes. Both Apache on UNIX and IIS on Windows NT have their share of root or SYSTEM vulnerabilities. An unpatched IIS 5 is vulnerable to the UNICODE directory traversal attack where attackers are able to execute files such as CMD.exe to gain a remote shell. Another common bug is buffer overflow in the request field or in one of the other HTTP fields.
Web browser attacks
Most modern web browsers have a series of security loopholes. Typical software vulnerabilities like format string and buffer overflow attacks are also found in http clients (such as Internet Explorer and Netscape). Active Content such as JavaScript, Java, ActiveX and HTML itself can also pose a security risk.

HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. A well-known exploit for IE consists of encapsulating HTTP headers within an EML file and launching an executable embedded within the EML file.
HTML can be often exploited through buffer overflows. Internet Explorer 6 as well as previous versions of IE and Netscape were found to be vulnerable to these kind of attacks using different HTML tags with long strings as attributes.
JavaScript is well known to be the prime cause of security loopholes within web browsers. Likewise with VBScript and any other type of active scripting. These functions are generally run in a sandbox environment, however from time to time hackers find out new ways to escape the sandbox environment and execute code, read sensitive files etc.
Frames and iframes are many times used in conjunction with Active Scripting (JavaScript, ActiveX, Vbscript) exploits. However they are sometimes also used as a social engineering exploit to fake legitimate sites.
Java was built with a strong security model by making use of the sandbox technology. However third parties have implemented their own versions which can introduce bugs and flaws. Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. Thus, the implementations of "trust" models that can more easily be hacked.
ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. The trust model consists of either allowing the ActiveX application to run on the client machine, or not. Unlike Java, the ActiveX model has no way to limit the application certain functions only. As a security precaution ActiveX components generally have to be digitally signed. The sign assures the customer that the producer of the ActiveX component is legitimate but not that the ActiveX component is safe to install.
Access Auditing
Operating Systems usually support logging of failed login attempts, failed file access and attempts to perform administrative tasks especially by non-administrative user accounts.
POP3 and IMAP
POP3 and IMAP servers are known to contain exploits just like any other software. Apart from that an attacker can launch at attack in order to guess the password of a specific email address.
IP spoofing
A good number of attacks make use of changing the source IP address. TCP/IP protocol has no way to check if the source IP address in the packet header actually belongs to the machine sending it. Some of the attacks which take advantage of ip spoofing are:

SMURF Attack
A broadcast ping is sent and the source IP of the ping is set the same as the victim's IP address. In this case a huge number of computers will respond back and send a Ping reply to the victim. When this is repeated, the victim's machine or link will get overloaded causing a Denial of Service.
TCP sequence number prediction
A TCP connection is assigned a sequence number for the client and for the server. If the sequence number is predictable, intruders can create packets with forged IP address and guess the sequence number to hijack TCP connections.
DNS poisoning through sequence prediction
DNS servers usually query other DNS servers to resolve names for other hosts. An attacker will send a request to the victim DNS server as well as a response to the same server. This way the attacker can make clients trying to access www.hotmail.com point to his servers.
Buffer Overflows
Some common buffer overflow attacks are:

Buffer overruns in major web servers
Both Apache and IIS have well known vulnerabilities. Worms such as Code Red (for IIS) and Linux.Slapper (for Apache) make use of such vulnerabilities to spread.
DNS overflow
Some of the older DNS servers (BIND) are vulnerable to overflows. A typical attack would be to supply an overly long DNS name to the server. DNS names are limited to 64-bytes per subcomponent and 256-bytes overall.
DNS attacks
DNS servers are usually trusted by services and users - meaning that compromising a DNS server can lead to further attacks on end users and other services. This makes DNS servers a prime target for hacker attacks.
DNS cache poisoning
This is a very typical attack on DNS servers. In simple terms it works by sending a Question to resolve a given domain ("Who is www.test.com?") and providing the answer with false information ("www.test.com is 127.0.0.1").

Just so we are clear

Either way, packet sniffers are a great tool for monitoring your network, switch or no switch, or hooked up behind the firewall- it's a vital tool.

capturing just broadcasts is usualy a waist of time, Not always, but usualy. learning to use your switches with a packet sniffer is a very vital part of controlling your network.

:p

Ok, tell me how switch's stop broadcasts. There is no mention of VLANS here. Switch's flood all broadcast and multicast traffic.. right?
security on a network (http://www.enterprisenetworksandservers.com/monthly/art.php/408)
Use your network analyzer to fight Viruses (http://www.itsecurity.com/papers/netinst1.htm)

Im curious as to which virus useses broadcasts to find other machines, name one that is common?

I have sat on a switch and watched network traffic from infected machines sending out packets and finding the machines that were infected by simply seeing which machine was sending out the packets.. Whether these were sent out the "broadcast" address or were a random generated number is irrelevant, the point was you are looking at a network using a pc on a switch and can see exploited machines trying to infect other machines. Your just nitpicking trying to find some fault in something I said. Get over yourself. : )
I did a search on several security sites for broadcast exploits and found so many I stopped typing them in and deleted it. You can do the same yourself, Broadcast storms.. Smurf and Fraggle ( and their variants) come in tops. It also looks like several of the RPC DCOM exploits uses broadcasts for various parts of the infection, propigation and attack.
Just because an attack is not on Foxnews doesn't mean it won't infect your machines :rolleyes:

If you think protocol anylizers are useless on a switched network thats fine. I know they work. I have used them to find machines infected in a network : )

Maybe it's different in the Novel enviroment. Dunno.

Variable

WOW you obviously are not familiar with this type of stuff. Try calming yourself down and reading my posts slower, then read the links you posted SLOWER! they say the same thing. I covered SMURF and Fragel, both are easily mitigated that is why I asked what kind of equipment he has.

READ SLOWLY...
from you..
If you think protocol anylizers are useless on a switched network thats fine. I know they work. I have used them to find machines infected in a network : )

From me...

capturing just broadcasts is usualy a waist of time, Not always, but usualy. learning to use your switches with a packet sniffer is a very vital part of controlling your network

*cough* sniffer is very vital!

from you...

Whether these were sent out the "broadcast" address or were a random generated number is irrelevant,

It is very relevant as directed packets will not be seen from other switch ports this you should have learned in the beginning of CCNA this is the main difference between a hub and switch. Lets learn you something first hehe lets say multiple PCs infected with blaster virus attacks SCO.com this sends directed packets to a switch, the switch gets the packet and sends it out only the port connected to your default gateway ( not broadcast it out every port ) so your PC in the switch on another port just running a sniffer would not even see this!!!!!!

FROM YOUR LINK....

if the device to be protected is connected directly to a switch port, then the switch should be configured to mirror (or SPAN) all traffic from that switch port onto a separate switch port on which the probe is located. For continuous monitoring of viruses and attacks, probes must be implemented. More probes may need to be deployed if some are to be used for general monitoring, and some to be used for protection.

You will also see alot about using MLS and Netflow and other things I mentioned earlier in your links to find viruses. again read both SLOWER!

Maybe it's different in the Novel enviroment. Dunno.

It is very different in a NOVELL environment as 90% of viruses have no effect on NOVELL hehe!!!

From you...


Ok, tell me how switch's stop broadcasts.

READ SLOWER!!!! or quote where I said this, because it doesnt and I dont think I said this.




Your just nitpicking trying to find some fault in something I said.

Nope I never intended to pick on you I believe you brought my name into this. besides the readers of your links will well know I didnt have to nitpick just saying how it really works to help someone out in trouble not confuse them even more.

Seriously variable Im not trying to nitpick here but help people out with their networking issues. your link is kinda vague as to how to use an analyzer to help secure your network so maybe I can clear this up..

When reading through you will notice the word probe used this can be a sensor on a switch port or a PC running IDS software or analyzer whatever.

you will also see that to secure a specific device ( capture data from it) it says to use a hub with your analyzer in one port and the server or whatever in the other with an uplink to the switch from the hub this way the analyzer can see all data to and from the server ( because its on the same hub ) if the server is plugged directly into the switch you will need to port mirror (SPAN) the port (this means all traffic on the server switch port will be duplicated on the port your analyzer is on so it can capture the data).

You will also see where it mentions In a switched network environment, an analyzer is only able to see traffic local to the switch. This means you would need to port mirror (SPAN) all the ports in the switch to the probes switch port and you can not port mirror from one switch to another (making it local to only that switch).

Another good method for a network analyzer is to use SNMP this gets you around using port mirroring (SPAN) (which is very resource intensive to the switch). you set up an SNMP traffic analizer to connect to each devices network card via SNMP it will pull traffic stats, how long the device has been running (server/router/switch uptime) you can then enable treanding which is very important for IDS so your sensors learn what is normal traffic and what isnt ( to eliminate false positives) on your network as all networks are different. make sure when using SNMP you secure it by using private community strings and only allowing access from the SNMP server itself in read only mode. SNMP v3 is the most secure and recommended.

the problem you run into with alot of viruses is that they will stop trying to spread when they start a DoS attack which is directed IP not a broadcast so you will only find the ones that are spreading with broadcasts if they are using that. however, even though this is used to DoS someone else it will also cause a DoS in your environment. The reason you are able to see a virus scanning other computers in your network with a sniffer capturing only broadcasts on a switch without mirroring ports is basic networking , More specificly NIC cards do not understand IP and use MAC addresses to move data so when the virus chooses an internal address it will ARP for that IP which is a broadcast this is what you have seen on your sniffer the thing is if the PC or server is already in its ARP table it will not broadcast an ARP request and if it is spreading or attacking outside the network it will use IP not ARPing to cause a broadcast. so basicly you found only the computers that where spreading and not the ones attacking.

hope this helps.

another very usefull tool to use on cisco routers that most people are not aware of is called NBAR, this is very cool to see what type of traffic is going through your internet interface as well you can use QoS to limit the amount of bandwidth that a protocol uses.

by enabling NBAR protocol-discovery on the outside interface you will get a list showing network traffic that is being used by protocol lets say it shows P2P apps using 80% of the bandwidth you can then create a class-map and policy on the router that will limit all P2P traffic to only like 10k or drop it all together. This is sort of like CAR on the 7000/12000 series routers but cooler.

hmmmmm...... I feel that using a sniffer , though great for "digging deeper" into supect traffic, isn't the best way to go when trying to see if your under "attack".

I would suggest a IDS or Intrusion Dection System such as SNORT. It's free runs on Windows and Linux and isn't too hard to install/configure. Snort and other IDS systems will watch your network traffic and alert you to any trafic that meets a pattern in their rule sets. SNORT's rules sets include the patterns for many known network attacks including many flavors of "DOS" attacks. (That's the good thing about an IDS ...they come with built in rule sets unlike sniffers where you would have to "roll your own"). Snort can even be setup to capture the traffic so you can review it later.

You'll have to tune an IDS to weed out false postives ( Normal traffic ,like DNS, can sometimes be tagged as an attack IE: a false postive) But once you have it setup it is easy to read its logs to get an idea of what if anything is happening on your network.

I have a link to Snort and other tools you might find interesting on my web site. But be warned some of the links are a little old and I have yet to update the site.


Hope this helps :)