Re: Looking for an Akamai contact, strange DoS traffic sourcing from Akamai sources

Fri, 21 Jan 2011 06:39:48 -0800 

Jack-
This is exactly what we're seeing. The Akamai server starts a retransmission flood aimed at a specific address randomly. We're seeing thousands of retransmissions of the same packet over and over again, same sequence/ack numbers, all 1460 bytes. In the last capture I have, it was all JPEG data, although we weren't capturing entire packets. There is a slight difference in the capture payloads, two bytes each time. 


I had another dial-up provider contact me off list, and he's seeing the 
same thing. I'm wondering if this is actually more widespread, but only 
dial-up providers are really seeing the effects since a 3-5Mbps burst is 
most noticeable for us on our smaller upstream links. //


On 1/21/2011 8:45 AM, Jack Bates wrote:

I have a customer reporting the same thing. The traffic flood goes to 
offline modem bank IPs. So far, Akamai hasn't actually grasped what 
the problem is and says everything is fine. :(



Luckily, most of the traffic (not all) is coming from my local 
cluster, so it's easier to monitor what's going on. Packet captures 
have shown the same packet being sent over and over, usually over 1400 
bytes in size. Different floods may have different packets, but within 
a flood it's identical. I wouldn't think you'd have data prior to the 
3-way, so I'm curious how the 3-way is being completed for the data to 
be sent.



Jack

On 1/20/2011 4:46 PM, Tom Beecher wrote:

I've received a couple of responses off list, and am now in touch 
with Akamai directly.


I appreciate everyone's assistance.

On 1/20/2011 4:04 PM, Tom Beecher wrote:

I'm looking for an Akamai contact to try and address a strange 
situation.



We have multiple sites across the country that aggregate 56k dialup 
customers. Different sites are randomly experiencing inbound traffic 
spikes that are overwhelming the uplinks to our carriers, causing 
DoS situations.  These spikes far exceed the bandwidth that could 
possibly be used by the number of dialup customers connected. We've 
been able to trace the source of the traffic to Akamai boxes, but so 
far have been unable to reach anyone at Akamai to discuss the 
situation. We're attempting to get payload information, but the 
traffic volume is making it slow going setting up packet captures at 
these sites remotely.


Thanks in advance,

Tom








--
Thomas Beecher II
Senior Network Administrator
LocalNet Corp.
CoreComm Internet Services
tbeecher at localnet.com























					Reply via email to