DDOS was our first thought, but there's a couple of problems with that. Normally a DDOS (at least the ones we've seen) have a specific target, this does not. Also, it usually uses one type of traffic/packet/etc. This is spread out like normal traffic, just a whole lot more of it.
Thanks, Robert S. Galloway Chief Network Security Engineer IKANO Communications Network Operations Department ...the team behind the machines Securityguy_AT_ikano.com 801-415-8089 "You have enemies? Good. That means you've stood up for something, some time in your life." -- Winston Churchill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 11:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Flow-tools] Strange Router Export Issue > >I've got a strange issue that is just perplexing me. Basically >here's my setup: > >I've got two 7513's and one 7206. Each has one internet DS-3. The >7513's also support other customer connections, but the 7206 is just >the DS-3. > >Starting a couple of days ago, the 7206 started sending HUGE numbers >(10x normal) of flows to my flow-collector. I've dug into the raw >flow files and I just don't see anything strange. All three routers >carry about the same traffic load according to bandwidth, but the >flows are out of the ball park for the 7206. It's almost like the >router is counting traffic multiple times, but the config didn't >change when this started. > > >Anyone have any ideas on where I should look? > This sounds like a ddos attack to me. I've been hit with a ddos before on my internet router which happens to be a 7206VXR with a full DS3 attached to it. It added about 20% onto the router's CPU utilization and drove up the number of flows by at least 10x. The additional flows caused my flow-capture/flowscan system to fall behind to the point that I had to kill flow-capture until the ddos was over. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
