1

We currently have a very large outbound DDOS Attack coming from one of our machines which is on a Brocade switch and monitored by PRTG. I am looking at the sFlow v5 8 sensor and see Top Talkers and Top Connections, but cannot make heads or tails of these live circle graphs. Can anyone please shed some light on how I can figure out what IP this traffic is originating from?

Thank you!

Aidan Knight
  • 650
  • 3
  • 11
  • 19
  • I am not sure that sFlow is the right tool (protocol) for real time debugging...do you have a Firewall with logs to analyse ? – krisFR Feb 05 '14 at 03:29
  • Are you asking how to interpret the sFlow data itself or how PRTG displays it (the live circle graphs part)? – TheCleaner Feb 05 '14 at 03:41
  • Really just trying to figure out what IP this traffic is coming from so I can null-route it for now. When I click the switch in PRTG it shows that its coming from GigabitEthernet1/2/1 but I have no idea what that is. Our network engineer whose not available at the moment has shown similar work using these sFlow graphs but I am having trouble interpreting them – Aidan Knight Feb 05 '14 at 03:46
  • If you know the Switch/Interface where the DDOS comes from, you can block it immediatly by either shutdown the switch port or get the associated ip from the port, and block it at FW side. Analyse will come later (assuming i have interpreted your post as an emergency). – krisFR Feb 05 '14 at 03:50
  • I am connected to the switch via SSH but the only guide the Network Admin left for me is instructions to null an IP Address. Any idea how to shut off a port from a Brocade switch? – Aidan Knight Feb 05 '14 at 03:57

1 Answers1

-1

You didn't mention which Brocade switch this was but I suspect it's one of their FastIron/ICX family so here is how to "shut off" or disable a port on a Brocade FastIron or ICX switch.

To disable port 8 of a Brocade device, enter the following.

device(config)
# interface ethernet 8
device(config-if-e1000-8)# disable

I got it from the following if you want to see more:

If you have a different Brocade switch, reply back with the details and I'll reply again.

krisFR
  • 12,830
  • 3
  • 31
  • 40
Martin2341
  • 43
  • 3