From owner-freebsd-isp Mon Aug 9 11: 5:31 1999 Delivered-To: freebsd-isp@freebsd.org Received: from ccsales.com (ccsales.com [216.0.22.30]) by hub.freebsd.org (Postfix) with ESMTP id E745514BEC for ; Mon, 9 Aug 1999 11:05:29 -0700 (PDT) (envelope-from randyk@ccsales.com) Received: (from randyk@localhost) by ccsales.com (8.9.1/8.9.0) id LAA14774; Mon, 9 Aug 1999 11:03:46 -0700 (PDT) Message-ID: <19990809110346.02936@ccsales.com> Date: Mon, 9 Aug 1999 11:03:46 -0700 From: randyk To: freebsd-isp@freebsd.org Subject: Attack or What? Reply-To: randyk@ccsales.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, We have had this condition a few times. We thought it was a switch or bandwidth limiter condition but after 3 brands of top name switches and 2 bandwidth limiters I am beginning to think otherwise. The network has 2 ds3's coming into a Cisco 7507 on to a Xedia bandwidth limiter on to gigabit ethernet cascaded Extreme Summit 48 switches. The condition is as follows: 1. Extreme activity in the 90mbit range on 3 out of 4 of the switches. 2. This activity pumping up the outbound activity on one of the ds3 lines to double our normal usage (from 18mbits to around 40mbits). 3. Activity subsides after around 15-20 minutes. We have done all the usual Cisco limiting and filtering for SMURF broad- casts that have been posted. We have around 200 FreeBSD machines internally. I was wondering if there is something we should be doing to those machines that might reduce this activity if it is: a) One of our machines being hijacked. b) One of our customers on the machines doing bad things. The machines in question are webservers. Thank you, Randy Katz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message