Network Brown Out by Cisco RSPAN

History:

It was published that Microsoft Exchange had been exploited with the hafnium targeting exchange servers,
Source: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

To confirm we were not impacted I reconfigured the Security Onion to monitor email traffic flow.

We discovered suspicious IP addresses that did fall within the range of some of the suspected internet IPs that were listed as attackers.

I blacklisted those as well as all recommended IPs that were mentioned as attackers.

When Backup Exec executed on the weekend it replicated the packets and sent it to the Security Onion server.
This resulted in doubling the packet flow during the backup procedure and over exhausting the switches queues.

I removed the SPAN session and reverted back to monitoring the internal internet traffic flow and the network stabilized.