My company has been hit with what we thought was some sort of DDOS
attack. The symptom was that our incoming bandwidth, which is normally
10-15 Mbit during the day, jumped by about 30 Mbit, and the 30 Mbit
stayed fairly constant.
This is the 4th time this has happened. We've finally been able to get
a tcp dump, I'm linking wireshark images.
This are the facts as I've been able to identify them:
1. Our customers are school districts. The districts typically NAT
everything through a single IP, so our normal traffic is usually several
hundred connections from each IP
2. All the excess bandwidth is coming on a single connection
3. The connection seems to always come from the same IP address. The IP
address resolves to one of our customers
4. Wireshark shows that the traffic appears to be a constant stream of
Retransmits. The URL being retransmitted is valid.
5. The traffic passes through our firewall, but doesn't get past the
load balancer
6. When I had our ISP break the connection at the firewall, the traffic
continued to be received at the firewall, but was not passed through to
the load balancer
7. These episodes seem to be getting longer. The first one lasted a
several hours, the last one several days.
This is totally out of my experience.
Is it possible for some mis-configured equipment to cause this to happen?
I'm looking for any sort of suggestions. So far this hasn't hurt us,
but if it gets larger, it will.
I didn't want to attach the capture because of the size, but if someone
want to take a closer look, I'd be happy to send it along.
Thanks in advance.
500 frames captured.
The first one is a normal GET
1 thru 13 are TCP OUT-OF-ORDER
14-500 are Retransmits
here are the image links; they were too big to attach:
http://mrld.info/w1.gif
http://mrld.info/w2.gif
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
