[190676] in North American Network Operators' Group
Re: akamai abnormal spike
daemon@ATHENA.MIT.EDU (joel jaeggli)
Tue Jul 19 03:16:54 2016
X-Original-To: nanog@nanog.org
To: Mike Hammett <nanog@ics-il.net>
From: joel jaeggli <joelja@bogus.com>
Date: Tue, 19 Jul 2016 09:16:42 +0200
In-Reply-To: <1588971553.2606.1468853835713.JavaMail.mhammett@ThunderFuck>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NIwHP2unIjWlo0atlQiuGSfkLXR9U3iMO
From: joel jaeggli <joelja@bogus.com>
To: Mike Hammett <nanog@ics-il.net>
Cc: nanog@nanog.org
Message-ID: <4526dd00-30be-0374-a8f1-ab5e189bf080@bogus.com>
Subject: Re: akamai abnormal spike
References: <CAA3RQS8eqG-x6eMg8D6SnbnV=G3eDjezHGDUmrP=9N-GJ=wprg@mail.gmail.com>
<1468848371_93759@surgemail.mnsi.net>
<c39b3f31-6a6e-c3ec-cec0-87bde9ff8577@ispn.net>
<1588971553.2606.1468853835713.JavaMail.mhammett@ThunderFuck>
In-Reply-To: <1588971553.2606.1468853835713.JavaMail.mhammett@ThunderFuck>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 7/18/16 4:57 PM, Mike Hammett wrote:
> Several of my WISP colleagues have noticed this behavior (CDN sending
> way more traffic than the customer's pipe can handle) from (I
> believe) multiple CDNs. Not sure if it is intention on behalf of the
> CDN or an error, but it has been on-going for several months if not
> years.
It's not a healthy tcp flow if the number of packets associated with the
flow stays well in excess of the link capacity for a while... if you
have recourse to to l4 header flags you might find that it was an ack
flood or repeated retramission of the same PDUs. Either way someones
state machine has a bug.
joel
>=20
>=20
>=20
> ----- Mike Hammett Intelligent Computing Solutions=20
> http://www.ics-il.com
>=20
>=20
>=20
> Midwest Internet Exchange http://www.midwest-ix.com
>=20
>=20
> ----- Original Message -----
>=20
> From: "Blake Hudson" <blake@ispn.net> To: nanog@nanog.org Sent:
> Monday, July 18, 2016 8:49:21 AM Subject: Re: akamai abnormal spike
>=20
> We noticed that on the 12th-14th we had multiple subscribers on
> ~5Mbps subscription rates that were being sent ~50Mbps of data
> sourced from TCP port 80 (apparently HTTP) from Limelight Networks'
> servers. The data did appear to be user requested, still not sure why
> TCP didn't throttle the data rate appropriately. The 50Mbps was
> distributed across multiple LLNW servers. Makes me wonder if the
> customer was requesting one batch of data and multiple servers were
> responding.
>=20
> The issue cleared up on its own and I never was able to perform a
> full packet capture to investigate. I have not noticed the same
> behavior from Akamai servers.
>=20
> Clayton Zekelman wrote on 7/18/2016 8:26 AM:
>>=20
>>=20
>> We noticed on the 12th and 13th there was a significant up tick in
>> traffic served from our Akamai servers as well.
>>=20
>>=20
>> At 05:37 PM 13/07/2016, eric c wrote:
>>> Good afternoon,
>>>=20
>>> Has anyone notice any abnormal spike in Akamai trafic in the last
>>> 24-48 hours compared to other days. I know it was black tuesday
>>> yesterday but traffic from last month didn't even come close to
>>> what we saw from Akamai.
>>>=20
>>> We have some caching servers and even notice a spike to them as
>>> well.
>>>=20
>>> Limelight even showed up on our network.
>>>=20
>>> thanks eric
>>=20
>=20
>=20
--NIwHP2unIjWlo0atlQiuGSfkLXR9U3iMO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAleN09oACgkQ8AA1q7Z/VrLIBgCbBwYPsuZ4qB4K3uPTidEyUlaO
z20AoIMuIrqH2/0wrbeGnx4kZlBOODLW
=lCVR
-----END PGP SIGNATURE-----
--NIwHP2unIjWlo0atlQiuGSfkLXR9U3iMO--
