It sounds like you were under attack, though it's hard to say for sure. I doubt that it's a misconfig on your end, though. It could be a misconfig at the other server, but probably not. I don't think you can set the parameters that badly!? :-)
It sounds like a DoS attack because of the volume of 100,000 packets. What's the timeframe, though? You said "burst" so I assume pretty quick. Did the problem happen just once or has it reoccured? What do any relevant logs show? Do you have a firewall or Intrusion Detection System that logs info? How about the server itself? Does it show anything in its log? Were all the packets to the server? Were they ACKs or SYN ACKs? You mentioned both. Were they in response to something your server sent? Were they always the same ACK number? What were the port numbers? You mentioned e-mail, so were the packets to port 25 for SMTP? SMTP implementations used to have many security flaws. Hopefully those would be fixed in a modern OS, but you never know. Usually, DoS attacks are SYNs, but there are probably ones that use ACKs or SYN ACKs too. A search on Google might reveal more info. Anyway, I think you did the right thing by getting the ISP security folks involved. Keep us posted, unless they recommend that you keep it quiet. _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Garrett Allen wrote: > > heys, > > ran into something interesting today. not sure if it is a dos > attack or if it > indicates an ip stack misconfig. here is the symptom: > > periodically through the day today we received 100,000 packet > bursts on a t-1 > circuit. this is a name-brand provider. when the burst occurs > it is from the > same ip address. on some bursts the packets are all acks. on > others they are > all fin acks. they are directed at our email servers. when > they occur the > packets in a burst are all sourced from the same ip address. > in the one case > where we resolved the ip address back it was another orgs email > server. based > on the router interface stats the traffic is coming from the > outside and is > not an internal broadcast storm. > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 > computer will > retransmit the SYN-ACK 5 times, doubling the time-out value > after each > retransmission." if the same logic holds for other parts of > the handshake > then i'm at a loss to explain tens of thousands of packets > unless it is an > exploit of a weakness in the stack that allows for virtually > unlimited > retries. > > anyone run into this kind of situation before and was the > resolution a service > pack or other such server upgrade? it caused considerable > slowness on > external accesses as you might imagine. i grabbed a number of > traces > documenting it and we did contact our provider (they opened a > ticket with > their security folk). > > thanks. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56365&t=56341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
