Investigating Network Traffic/SpikesNetwork Administration

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Network Administration Investigating Network Traffic/Spikes

This topic contains 7 replies, has 4 voices, and was last updated by  Shoaib 2 years, 11 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
  • #86292





    Not enough info to help. I appreciate the interest but the questions I tend to help on are where I can tell the asker has done some research but needs clarity or a little extra direction.

    It would help to understand
    Why you are doing this?
    Who is the audience?
    Are you concerned about dealing with specific equipment/situations?
    Are you having specific problems?
    What do you want your results to look like?
    What information have you gathered so far?

    Otherwise, the question comes across as “tell me about networking”…and I know that probably wasn’t your intent.





    Paul Rouk

    The examples you give are all very different questions and will involve different steps for tracking down the problems. For example, tracking down a network traffic spike assumes that you have visibility into the different network segments to see where the traffic is originating. When I worked with our network team to track down performance issues at a remote office, they had the ability to see the percentage of bandwidth being used on that link in real time and could drill down to see exactly who was producing most of that traffic. To do something like this, you need to know exactly what tools you have available on your network to provide this information.

    An increase in traffic blocked at the firewall is a totally different issue and requires different tools. If the traffic is blocked, the question becomes has the problem been resolved already, or is this just the tip of the iceberg of a bigger attack. When I had an computer with ssh access open to the Internet, I was seeing dozens of login attempts on that system on a daily basis. The security settings I had on the system blocked and logged these attacks automatically, so no further action was required, but your staff needs to be trained enough to be able to analyze an attack and tell what is and isn’t worth looking at. This isn’t an easy problem to solve, since most studies show that only about 20% of all incidents in security logs ever get investigated simply due to a lack of time and personnel.



    Perfect! This is exactly what I am looking for, some dialogue around investigating the wide range of network events that could be IOCs or IOAs and how people from the network side would look at them. I’m not looking for a ‘silver bullet’, I’m looking for the dialogue so we can all learn. Thanks for participating Paul, good stuff!



    I am sorry then, as that was not my purpose. IT needs more curious people and participation in this site reflects you are one of the good guys.

    I misunderstood as you started your question with “I’m putting together some guides and general ‘checklists’”

    Guides and checklists to me suggest structure and purpose and I couldn’t (and still don’t quite) understand what you were after. However, Paul does and seemed to offer something that helped you, so sounds like you got it covered.


    Paul Rouk

    There are different levels of visibility into the network to keep in mind. Quite often at work people complain and say “I’m having network problems” without having any idea exactly what is the cause of the problem. I feel sorry for our network staff since they are often the first person to get blamed for any problem. I’ve seen quite a few situations where people complained about network slowness, when the problem is simply that someone is using up all of the available bandwidth in an office. The network team can verify that the connection is working and even show how much bandwidth is being used, but they don’t control what people send over the network. The monitoring software may be able to show just total bandwidth being used, or bandwidth used by user/computer. Determining what application on a given computer is using the data is an entirely different level of visibility.

    I can think of several examples where an office’s network bandwidth got swamped simply due to a misconfiguration or a questionable choice when installing software. One persistent problem was with Microsoft Outlook. A few years earlier we had abandoned trying to limit the size of people’s email accounts to only 1.5 GB. Over the years some people grew their mailboxes to 3 GB or more (the biggest I saw was over 10 GB). The default configuration in Outlook when we upgraded to a new version of MS Office was to download the entire mailbox to a local .OST file the first time someone used Outlook on a new computer. The result was that our remote offices were getting swamped every time someone visited their location and used email for the first time. Downloading 3 GB or more of email over a 3 MB WAN connection could slow down the entire office for hours.




Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?