Kerberos Traffic on Enterprise Network

Ken Raeburn raeburn at MIT.EDU
Tue Dec 30 18:16:46 EST 2003


On Tuesday, Dec 30, 2003, at 10:48 US/Eastern, Palumbo, Matthew wrote:
> Wondering if anyone would have an insight to why the BULK of my 
> network traffic would be from the Kerberos protocol.
>

Do you mean Kerberos-related protocols like Kerberos-encrypted rlogin?  
Maybe lots of people are using Kerberos-secured protocols, or one or 
two people are using them for massive exchanges of data?

Or do you mean the traffic to port 88 makes up the majority of your 
traffic?  Perhaps someone has a badly configured client (or broken 
software) which is continually requesting tickets?  Perhaps someone is 
submitting a vast number of ticket requests in a brute-force attempt to 
guess someone's password?

It would help if you could get a packet dump from your network and 
decode what some of the packets actually are.  (I haven't used the 
fancy packet-decoding facilities of packet tracing programs with 
Kerberos, so I can't tell you for sure which ones will handle it, but 
I've heard ethereal is a pretty good choice.)

Ken



More information about the Kerberos mailing list