Hello Scott, >Check form network errors (netstat -i I think).
This is what I get: # netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll xl0 1500 <Link#1> 00:10:4b:97:92:34 945039 189 601805 0 0 xl0 1500 200.112.192/2 mx1 613303 - 601377 - - xl0 1500 fe80:1::210 fe80:1::210:4bff: 0 - 0 - - lp0* 1500 <Link#2> 0 0 0 0 0 faith 1500 <Link#3> 0 0 0 0 0 lo0 16384 <Link#4> 30 0 30 0 0 lo0 16384 localhost.n ::1 0 - 0 - - lo0 16384 fe80:4::1 fe80:4::1 0 - 0 - - lo0 16384 your-net localhost 20 - 20 - - ppp0* 1500 <Link#5> 0 0 0 0 0 sl0* 552 <Link#6> 0 0 0 0 0 Anything unusual? >it may be worth still trying to set the network interface on the server, espcially if you are seeing any network errors. Do you know how I can I set my NIC's speed and duplex setting in FreeBSD? >I doubt this is the problem, It might be worth looking at the link Eric >supplied as well as monitoring the postfix processes for some sort of mail >attack. The result using the tool is that the machine is clean. >Also check any windows boxes on the same network for any virus infections. >We had a client with a few viruses and the crappy network card just stopped passing packets under load. A rebbot would fix it for 10-15 mins. The problem was that it killed the whole local LAN. may be worth looking at. We just did that, all the machines are clean. Today's fourth attack came in, this time I think that it wasn't so heavy as before because my FreeBSD box continued to respond to pings, very slow though. While it was happening I saw that the ping times between my own machines was very high, minimum 150 ms going as high as 9000 ms. I started to disconnect my network branches, remote access servers, dedicated circuits, ADSL users, servers, etc. When I disconnected my border router the heavy traffic went down and the ping times went back to normal. I also did a test disconnecting the links to my upstream providers and things went back to normal too. This shows that the attack must be coming from outside my network. As I kept the links down for like 20 minutes, when I connected them again the attacks didn't return but they could start at any moment again. Any ideas on what could be causing my border router to increase the traffic so heavily? Is there any way to track who is attacking me or what ports, protocols they are targeting? Netstat reports from my servers shows usual activity. I'm starting to think that this could be ICMP traffic, I've heard that some folks have been attacked that way, is it possible? I could disable ICMP responses at my firewall but I also have heard that I could run into some problems because ICMP it's required for some services... Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system]
