Looking for an Akamai contact, strange DoS traffic sourcing from Akamai sources

Tom Beecher tbeecher at localnet.com
Fri Jan 21 14:38:50 UTC 2011


Jack-

This is exactly what we're seeing. The Akamai server starts a 
retransmission flood aimed at a specific address randomly. We're seeing 
thousands of retransmissions of the same packet over and over again, 
same sequence/ack numbers, all 1460 bytes. In the last capture I have, 
it was all JPEG data, although we weren't capturing entire packets. 
There is a slight difference in the capture payloads, two bytes each time.

I had another dial-up provider contact me off list, and he's seeing the 
same thing. I'm wondering if this is actually more widespread, but only 
dial-up providers are really seeing the effects since a 3-5Mbps burst is 
most noticeable for us on our smaller upstream links. //

On 1/21/2011 8:45 AM, Jack Bates wrote:
> I have a customer reporting the same thing. The traffic flood goes to 
> offline modem bank IPs. So far, Akamai hasn't actually grasped what 
> the problem is and says everything is fine. :(
>
> Luckily, most of the traffic (not all) is coming from my local 
> cluster, so it's easier to monitor what's going on. Packet captures 
> have shown the same packet being sent over and over, usually over 1400 
> bytes in size. Different floods may have different packets, but within 
> a flood it's identical. I wouldn't think you'd have data prior to the 
> 3-way, so I'm curious how the 3-way is being completed for the data to 
> be sent.
>
>
> Jack
>
> On 1/20/2011 4:46 PM, Tom Beecher wrote:
>> I've received a couple of responses off list, and am now in touch 
>> with Akamai directly.
>>
>> I appreciate everyone's assistance.
>>
>> On 1/20/2011 4:04 PM, Tom Beecher wrote:
>>> I'm looking for an Akamai contact to try and address a strange 
>>> situation.
>>>
>>> We have multiple sites across the country that aggregate 56k dialup 
>>> customers. Different sites are randomly experiencing inbound traffic 
>>> spikes that are overwhelming the uplinks to our carriers, causing 
>>> DoS situations.  These spikes far exceed the bandwidth that could 
>>> possibly be used by the number of dialup customers connected. We've 
>>> been able to trace the source of the traffic to Akamai boxes, but so 
>>> far have been unable to reach anyone at Akamai to discuss the 
>>> situation. We're attempting to get payload information, but the 
>>> traffic volume is making it slow going setting up packet captures at 
>>> these sites remotely.
>>>
>>> Thanks in advance,
>>>
>>> Tom
>>>
>>
>
>

-- 
Thomas Beecher II
Senior Network Administrator
LocalNet Corp.
CoreComm Internet Services
tbeecher at localnet.com




More information about the NANOG mailing list