[nsp-sec] Anyone else seeing a HUGE increase in TCP/1935 from Limelight Networks

John Fraizer john at op-sec.us
Tue Jun 17 14:11:46 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Oberman wrote:

>> The best part of the day on Monday was being able to tell the
>> pointy-heads that Tiger Woods was responsible for the 3Gb/s DDoS on
>> the network. :) The "incident" went a long way towards getting me the
>> deep packet inspection capabilities I want as well. :)
>>
>> John
> 
> No. Tiger Woods, Rocco Mediate, and the U.S. Open were responsible for
> evidence that your network was not adequately provisioned for the
> unexpected demands for the "real world". No malware or miscreants
> involved...just demand for bandwidth which exceeded normal parameters by
> a wide margin.

The choice of words was made by the pointy-headed people, not me.  I noted a network anomaly, investigated it and ultimately with the help of others on this list identified
the cause of the anomaly.  I really don't care if they call it a rose flavored fart as long as it gets their attention enough to get me the DPI capabilities I've been
begging for over the past two years. :)  Given DPI capabilities, I could have identified the cause of the anomalous traffic exponentially more quickly. I generally don't
ask them for much... If an innocuous flash crowd event tips the scales in favor of spending money on my project Vs. buying more golf shirts and logo'd license plates, I'm a
happy security geek.

> You need to have significant over-provisioning (not good
> for the bottom line), block the high-bandwidth stuff (also not good for
> business if people can't see Tiger), or you need to do some sort of
> shaping to not piss of anyone too much while keeping expenses in line.
> 
> Good luck! (Now throw in "net neutrality" and see where we are heading.)

We actually only saturated one link out of nearly twenty Gig drains.  I could have TE'd some of that inbound traffic around to other drains, some of which had 80% headroom
during the event but, by the time we identified the root cause it was a moot exercise as the flash crowd was fizzling by then. :)  We're no AS701 by any means but, we do
tend to have excess capacity floating around here and there. :)  When I see graphs of drains jump by 200-600Mb/s across our footprint and the 192 ring start carrying on the
order of 3Gb/s more traffic in the timespan of 20mins, it does tend to get my attention still though.

John

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFIV/5i+16lRpJszIgRAsreAJ9+/K3WW4j3BZWXT+Lfjiea8t77eACfcSNf
oiDZwfX2WlHEfPp3VnubTxU=
=7XWE
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list