Re: Strange situations [Sorry about the attachment I forgot]

[Allyn Crowe <allyn.crowe@emich.edu>]

It sounds like you might have some Nachi infected hosts.

If a huge chunk of your traffic is ICMP I would do a couple of things.
First make sure the Nachi classification plugin is discovered and 
working.  Second I'd ssqueeze ICMP down to 100K or so.  then put a top 
talkers and listeners on there and check out the hosts on your side 
that are pumping out the traffic.  If your Internet link is saturated 
by ICMP traffic then yes that could cause problems with MSN.

Now as for the host.  Do you have an inbound and outbound 
classification for it?  are the policies both set to discard?  Course 
if the host is on your campus I'd walk out there and unplug the thing.

As for the outside host:
OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    Singel 258
Address:    1016 AB
City:       Amsterdam
StateProv:
PostalCode:
Country:    NL

ReferralServer: whois://whois.ripe.net

NetRange:   195.0.0.0 - 195.255.255.255
CIDR:       195.0.0.0/8
NetName:    RIPE-CBLK3
NetHandle:  NET-195-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    1996-03-25
Updated:    2003-09-19

TechHandle: RIPE-NCC-ARIN
TechName:   RIPE NCC Hostmaster
TechPhone:  +31 20 535 4444
TechEmail:  search-ripe-ncc-not-arin@ripe.net

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName:   RIPE NCC Hostmaster
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  search-ripe-ncc-not-arin@ripe.net

-- 
Allyn Crowe
Network Engineering
Information and Communications Technology Division
Eastern Michigan University
127 Pray-Harrold, Ypsilanti, MI 48197
V: 734.487.2374

"Halo 2 is a lot like Halo 1, only it's Halo 1 on fire, going 130 miles 
per hour through a hospital zone, being chased by helicopters and 
ninjas," explained Jason Jones, Bungie Studios head. "And the ninjas 
are all on fire, too."
On Dec 18, 2003, at 3:09 AM, Mustafa Cagatayli wrote:

>
>> Date: Thu, 18 Dec 2003 09:42:00 +0200
>> To: packeteer-edu@lists.Stanford.EDU
>> From: Mustafa Cagatayli <mscag@ciu.edu.tr>
>> Subject: Strange situations (Or may be lack of info/experience)
>>
>> Hi,
>>
>> Attached is the graph showing our internet traffic. Do you recognise 
>> anything strange ? This morning at 08:00 I rebooted the packetshaper 
>> 2500, whereas I didn't yesterday. Do you think everything is normal, 
>> and this may be a coincidence ?
>>
>> Also, I am obtaining the following strange situations ;
>>
>> 1 - Half of our output traffic is ICMP. What should I do ? Can this 
>> be a reason for people unable to connect using MSN Messanger ?
>>
>> 2 - We had a server which caused us problems so I created a class for 
>> it,  and assigned it as "prohibited", both inbound and outbound. Now, 
>> using the "host info -sr -n 25" command I observe that the server is 
>> usually having 600+ connections and making a good inbound traffic, 
>> which strangely does not appear on the "TOP TEN" list. How do I BLOCK 
>> ALL THE TRAFFIC for this server.
>>
>> 3 - Again with the same command, I observer that an outside IP, 
>> 195.228.254.112, is having 300+ connections and making a good 
>> outbound traffic. Any idea about what this site is ?
>>
>> Regards.
>>
>>
>> Mustafa Cagatayli
>> CC
>
>
> Mustafa Cagatayli
> CC<morning-test.png>

-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo@lists.stanford.edu
with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.  Archive
is at http://www.stanford.edu/group/networking/netlists/