Proactive monitoring: turn an incident into a solution

A few weeks ago Andra┼ż described how the NIL Monitor team caught someone running BitTorrent client on the infrastructure of one of our clients. The anomaly that triggered their suspicion was periodic nighttime high bandwidth utilization, but they finally caught the perpetrator by looking at the number of NAT sessions: BitTorrent client usually opens a large number of TCP sessions, whereas remote backup or software upgrade process does not.

Based on the incident, the NIL Monitor team decided to implement another monitoring object: now they monitor the number of NAT translations and raise alarm if an unusual spike is detected. Obviously you can do that with any network monitoring tool; the added value of NIL Monitor is our customer base: all our customers benefit from the new functionality, even though the incident happened only on one site.

Read more in Fragments

8 comments:

  1. Hi Ivan , good idea to monitor NAT table -
    the first thing I do on PIX/ASA in suspicion of overload is # show xlate count and
    # show conn count
    On the router it is #sh ip nat stat
    BTW question to you - Did you ever try to enable/implement Netflow at client's equipment ?
    If so , what the impression ?
    From cases I've seen it brought too much load on the router .

    ReplyDelete
  2. Why not just monitor via an IDS signatue, then send alert via email and have it autowrite an acl? Monitor, analyze, and react doesnt seem very proactive.

    ReplyDelete
  3. @Yurisk: Netflow was a resource hog a long time ago, more so under DoS conditions. I haven't tested it lately, but it has probably improved.

    @Anonymous: we cannot dictate the SW used on the routers we monitor for our customers (and we might not have configuration rights on the boxes). Quite often their software does not include IDS functionality.

    ReplyDelete
  4. good point, I guess I was looking at it from a network engineer pov and not a network consultant or vendor engineer pov.

    ReplyDelete
  5. Hi, i tried to monitor the show conn count and show xlate count but i couldn't find the OID for these two commands...anyone?

    ReplyDelete
  6. @Anonymous#3: try CISCO-IETF-NAT-MIB

    ReplyDelete
  7. Hi Ivan,
    Have you used the CISCO-IETF-NAT-MIB successfully on a PIX successfully? I've tried polling some of it's OIDs from a PIX-525 but it appears the MIB isn't supported or loaded on the box. (I'm getting 'no such name' errors in my 'show snmp-server statistics' after every polling attempt.)

    ReplyDelete
  8. Never tried that. I'm an IOS person 8-)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.