[122227] in North American Network Operators' Group
Re: black listing of web traffic
daemon@ATHENA.MIT.EDU (gordon b slater)
Tue Feb 9 20:43:37 2010
X-IP-MAIL-FROM: gordslater@ieee.org
From: gordon b slater <gordslater@ieee.org>
To: Andrey Gordon <andrey.gordon@gmail.com>
In-Reply-To: <90ccfc91002091404nc2222d7pd8dfdc2910fd153@mail.gmail.com>
Date: Wed, 10 Feb 2010 01:42:48 +0000
Cc: Nanog <nanog@nanog.org>
Reply-To: gordslater@ieee.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 2010-02-09 at 17:04 -0500, Andrey Gordon wrote:
> Thx to all the folks replying off the list.
>
> The more I trouble shoot the more I'm convinced that it's not the sites that
> are doing rate-limiting. I went to a website of one of my previous employers
> (a small company). Chances of them having a fancy reverse proxy with some
> sort of black list filtering are slim to none, yet their site barely opens
> up as well.
>
> Must be something that either my firewall device is doing (which is what is
> doing the NATting) or I don't' know what else. I'm working with my firewall
> guy since f/w is his domain and I have no clue about that vendor of the
> firewalls (PaloAlto).
>
> Thanks all for the suggestions. I'll keep digging.
>
A few months ago I was involved in a hard-to-troubleshoot intermittent
problems similar to yours. I finally diagnosed a faulty or overloaded
state table somewhere in one of the cheap plastic routers they were
using. All problems ended when I replaced the cheap plastic stuff with a
x86 hardware running pf or iptables, I forget exactly which
(irrelevant).
Could it be that you have some arp-poisoning going on? That was my first
thought in the above situation, but Wireshark showed otherwise.
The clue to the state tables - it was mainly SSL/TLS that was getting
expired/dropped.
Gord
