[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange situations (Or may be lack of info/experience)

To: Packeteer List <packeteer-edu@lists.Stanford.EDU>
Subject: Re: Strange situations (Or may be lack of info/experience)
From: Jeff Caslake <Jeff.Caslake@domail.maricopa.edu>
Date: Thu, 18 Dec 2003 09:17:24 -0700
References: <5.1.0.14.2.20031218092821.01ed9ec0@mail.ciu.edu.tr>
Sender: owner-packeteer-edu@lists.Stanford.EDU

Mustafa Cagatayli wrote:
> 
> Hi,
> 
> Attached is the graph showing our internet traffic. Do you recognise
> anything strange ? This morning at 08:00 I rebooted the packetshaper 2500,
> whereas I didn't yesterday. Do you think everything is normal, and this may
> be a coincidence ?

Not sure what the MRTG graph is showing, looks like generic bandwidth.
Depending on your user population, hours of operation, and public access,
this could be fairly normal.

> Also, I am obtaining the following strange situations ;
> 
> 1 - Half of our output traffic is ICMP. What should I do ? Can this be a
> reason for people unable to connect using MSN Messanger ?

I'd say that you have several hosts infected with Nachi or some variant.
We have a 45 Meg pipe to the Internet and I have ICMP outbound capped at
5000 bps.  Usually it runs at about 1200 bps but when it plateus at 5000
I know I have another infected machine.

> 2 - We had a server which caused us problems so I created a class for
> it,  and assigned it as "prohibited", both inbound and outbound. Now, using
> the "host info -sr -n 25" command I observe that the server is usually
> having 600+ connections and making a good inbound traffic, which strangely
> does not appear on the "TOP TEN" list. How do I BLOCK ALL THE TRAFFIC for
> this server.

If you have access to the routers or firewall it would be much easier to
block all connections at that point.  I have never tried to do it on the
PacketShaper.

> 3 - Again with the same command, I observer that an outside IP,
> 195.228.254.112, is having 300+ connections and making a good outbound
> traffic. Any idea about what this site is ?

Another router or sniffer task.  On the router I would temporarily log
connections from this host and then check the log to see what port numbers
the connections run on and make a decision from there.  Likely you could
block this host without impacting your service too much.  Of course since
the block is on your end of your link to the Internet it will still be
chewing up bandwidth (depending on connection type).

> Regards.
> 
> Mustafa Cagatayli
> CC

Good Luck,
-Jeff Caslake
-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo@lists.stanford.edu
with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.  Archive
is at http://www.stanford.edu/group/networking/netlists/

References:
- Strange situations (Or may be lack of info/experience)
  - From: Mustafa Cagatayli <mscag@ciu.edu.tr>

Prev by Date: RE: 6.11
Next by Date: RE: Congestion
Previous by thread: Strange situations (Or may be lack of info/experience)
Next by thread: Fwd: Strange situations [Sorry about the attachment I forgot]
Index(es):
- Date
- Thread