Date: Mon, 9 Aug 1999 11:03:46 -0700 From: randyk <randyk@ccsales.com> To: freebsd-isp@freebsd.org Subject: Attack or What? Message-ID: <19990809110346.02936@ccsales.com>
next in thread | raw e-mail | index | archive | help
Hello, We have had this condition a few times. We thought it was a switch or bandwidth limiter condition but after 3 brands of top name switches and 2 bandwidth limiters I am beginning to think otherwise. The network has 2 ds3's coming into a Cisco 7507 on to a Xedia bandwidth limiter on to gigabit ethernet cascaded Extreme Summit 48 switches. The condition is as follows: 1. Extreme activity in the 90mbit range on 3 out of 4 of the switches. 2. This activity pumping up the outbound activity on one of the ds3 lines to double our normal usage (from 18mbits to around 40mbits). 3. Activity subsides after around 15-20 minutes. We have done all the usual Cisco limiting and filtering for SMURF broad- casts that have been posted. We have around 200 FreeBSD machines internally. I was wondering if there is something we should be doing to those machines that might reduce this activity if it is: a) One of our machines being hijacked. b) One of our customers on the machines doing bad things. The machines in question are webservers. Thank you, Randy Katz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990809110346.02936>