[135310] in North American Network Operators' Group
Re: Looking for an Akamai contact, strange DoS traffic sourcing from
daemon@ATHENA.MIT.EDU (Jack Bates)
Fri Jan 21 09:43:55 2011
Date: Fri, 21 Jan 2011 08:43:48 -0600
From: Jack Bates <jbates@brightok.net>
To: Tom Beecher <tbeecher@localnet.com>
In-Reply-To: <4D399A7A.5070909@localnet.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/21/2011 8:38 AM, Tom Beecher wrote:
> Jack-
>
> This is exactly what we're seeing. The Akamai server starts a
> retransmission flood aimed at a specific address randomly. We're seeing
> thousands of retransmissions of the same packet over and over again,
> same sequence/ack numbers, all 1460 bytes. In the last capture I have,
> it was all JPEG data, although we weren't capturing entire packets.
> There is a slight difference in the capture payloads, two bytes each time.
>
The content between attacks changes at times, as do the source IPs, as
they send different content. We've noticed at least 2 different akamai
hosted sites packets being sent.
1460 is definitely the number. What gets me is that the 3-way should be
complete to allow the 1460, and the modem bank is spamming host
unreachable ICMP messages since that IP is offline.
> I had another dial-up provider contact me off list, and he's seeing the
> same thing. I'm wondering if this is actually more widespread, but only
> dial-up providers are really seeing the effects since a 3-5Mbps burst is
> most noticeable for us on our smaller upstream links. //
This was my thought, though in my downstream's case, it's saturating his
DS-3. The 45mb spikes were just enough for me to barely make it out on
the akamai gig-e graphs.
He's also not always receiving from my local node. Sometimes his other
transit links saturate due to remote nodes doing the same thing.
Jack
