Kerberos Traffic on Enterprise Network
John Hascall
john at iastate.edu
Tue Dec 30 18:31:34 EST 2003
And just because traffic is on one of ports used by kerberos,
doesn't make it kerberos traffic. You need to look at the
traffic and see what it really is.
John
> On Tuesday, Dec 30, 2003, at 10:48 US/Eastern, Palumbo, Matthew wrote:
> > Wondering if anyone would have an insight to why the BULK of my
> > network traffic would be from the Kerberos protocol.
> >
>
> Do you mean Kerberos-related protocols like Kerberos-encrypted rlogin?
> Maybe lots of people are using Kerberos-secured protocols, or one or
> two people are using them for massive exchanges of data?
>
> Or do you mean the traffic to port 88 makes up the majority of your
> traffic? Perhaps someone has a badly configured client (or broken
> software) which is continually requesting tickets? Perhaps someone is
> submitting a vast number of ticket requests in a brute-force attempt to
> guess someone's password?
>
> It would help if you could get a packet dump from your network and
> decode what some of the packets actually are. (I haven't used the
> fancy packet-decoding facilities of packet tracing programs with
> Kerberos, so I can't tell you for sure which ones will handle it, but
> I've heard ethereal is a pretty good choice.)
>
> Ken
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list