Re: Looking for an Akamai contact, strange DoS traffic sourcing from Akamai sources

[Jack Bates <jbates () brightok net>]

On 1/21/2011 8:38 AM, Tom Beecher wrote:
> Jack-
>
> This is exactly what we're seeing. The Akamai server starts a
> retransmission flood aimed at a specific address randomly. We're seeing
> thousands of retransmissions of the same packet over and over again,
> same sequence/ack numbers, all 1460 bytes. In the last capture I have,
> it was all JPEG data, although we weren't capturing entire packets.
> There is a slight difference in the capture payloads, two bytes each time.

The content between attacks changes at times, as do the source IPs, as 
they send different content. We've noticed at least 2 different akamai 
hosted sites packets being sent.

1460 is definitely the number. What gets me is that the 3-way should be 
complete to allow the 1460, and the modem bank is spamming host 
unreachable ICMP messages since that IP is offline.

> I had another dial-up provider contact me off list, and he's seeing the
> same thing. I'm wondering if this is actually more widespread, but only
> dial-up providers are really seeing the effects since a 3-5Mbps burst is
> most noticeable for us on our smaller upstream links. //

This was my thought, though in my downstream's case, it's saturating his 
DS-3. The 45mb spikes were just enough for me to barely make it out on 
the akamai gig-e graphs.

He's also not always receiving from my local node. Sometimes his other 
transit links saturate due to remote nodes doing the same thing.


Jack