What network issues should be monitored?

Network is the basis of the communication to your customers, page viewers. without network, computers are of no usage at all, arent they? But most of the guys always pay very little attention to the health of their networks. Generally, there are some type of networks issues should special pay attention:

1, abnormal network traffic, like pink traffic, highload traffic appeared some time with no clear reason, very low traffic during business time and so on. these type of issues can all be monitored by Hostpry, and the alerting messages can be scheduled separately in business time or non-business time.

2, ethernet card failure. If your fiber is not running at proper stat, you may find some error in dmesg like this:

tg3: eth0: Link is down.
tg3: eth0: Link is up at 1000 Mbps, full duplex.
tg3: eth0: Flow control is on for TX and on for RX.
tg3: eth0: Link is down.
tg3: eth0: Link is up at 1000 Mbps, full duplex.
tg3: eth0: Flow control is on for TX and on for RX.
tg3: eth0: Link is down.
tg3: eth0: Link is up at 1000 Mbps, full duplex.
tg3: eth0: Flow control is on for TX and on for RX.

sometimes, it will cause a highload and sometimes, your business critical connections would be reset by such issue. when you find this type of message, it’s recommended to use a new fibre instead.

3, connection statistics check Generally, there are three type of traffic need your attention:

SYN packet
mostly they are attacks if you face too many SYN packet above the normal ratio.(some network problem may also cause too much SYN packets).

$ netstat -an | grep -c SYN_RECV
510

Too much Established Connections
It should be treated as attack sometimes, and you need to check your system to make sure whether you are right.

$ netstat -st | grep estab
8436 connections established
265 packets rejects in established connections because of timestamp

The service log, for example apache’s access_log, sendmail’s maillog will be the key points for you to prove it.

Abnormal ICMP traffic
Ping of Death is a well-known ICMP Flood Attack. An ICMP attack can come in many forms, and sometimes it has some relation with UDP. ICMP flood attack can usually be accomplished by broadcasting either a bunch of  ICMP pings or UDP packets. UDP is widely used in softwares s like Bind, when an UDP cannot find its destination port or destination host, an ICMP reply will be generated to the source side.
The idea is that the bad guys generate so much data that destinated to your system( for example, using your IP address to create some faked packets and broad them, then your real server will be flooded by the returned ICMP. This will slow you down so much that you can not supply any service.
Also there are ways to find out such issue as they are slightly recorded by  modern operation systems.

Leave a comment

Your email address will not be published. Required fields are marked *