is it possible that brad will get some sleep tonight?

[bootNumlock]

i don't want to jinx things, but it appears we lived through the 'witching hour' tonight with the servers, routers, hard-drives, rack screws, cases, fans or whatever has been keeping brad up at night (save vixen)

anyway i wanted to say that regardless of all the bitching and crying about TTs and forum posts of trouble shooting... the matrix, vortec, rapid, (fill in any other name here) gang to one heck of a job--not to mention that they are just plain good people.

i am sure i have said this before, but i am so glad i found this great group of people and peers. (i think i am going to cry)

craig-- i miss ya buddy!

after all, we have all been around these mystical boxes we call computers for several years (at least i hope most of us have) and i don't care how much schoolin' or sperience you got--these new fangled thingy mabobs never work like you want em to.

also-- just for the record... i still think nt19 is a cheating little you know what

Yes , it seems like the problems just wont go away

[bootNumlock]

oh sh*t, i did jinx things I am sooooo sorry.

Huh, no you didn't, they jinxed themselves, or the black cat is running around the DC or something.

[Silverbug]

whoa, dejavu.... (the black cat) yeah yeah corny i know. only 8 more days till reloaded

[admin]

Good old f'ing MS... I don't think I will ever be able to sleep.. I am about to tos NT5 out the window along with NT19 and its buddies..

MS has no ideas, I am running out of them for NT5 its the most f'ed thing I have ever seen in my life.. I am going to let you guys in on what its doing I am open for ideas..


http://mrtg.vortechhosting.com/switc...5.57.231.13_17
As you can see at 18:00 for 2 night its been hit with a load of bandwidth in and out. then again around 1:30 till none.

It takes the server down when it does this. Its so bad we can't even run netstat on it.. There is NOTHING running on the server I can even stop IIS still keeps on going. We go hey maybe its a worm or virus. So we remove the main IP from the server 216.157.132.97 it stops the out going but there is still stuff coming in. So I think hey its not a virus or a worm as it should not care what the IP is. But then I think what the hell is this trafic coming it.. What IP is it going to.. It does not seem to be going to much of any thing from what every thing says.. I turn IIS back on every thing works but the sites on the shared IP and the main IP of the server the .97. So I add the IP back, server slows down and IIS goes down bandwidth picks backup in and out.

We know have filters setup to check packets comeing in and out to see if we can find any thing but right as we got them in place it stoped.. In away I hope it does start again so we can nail them but I also wish it would go away what ever it is..

I am open for ideas and working hard with all the techs here to track this down.

Just to head off the questions, that link IS for nt5, eventhough it says mysql1. Just to let you all know.

[Brangwyn]

Network Monitor whilst its happening save a 20 second trace and analyse it later.

[Wonderer]

Thats quite a hit its taking. Almost looks like a DDoS. If your not seeing anything from your routers in terms of DDoS I would try enabling IIS's extended logs to show protocol types and connections, then enabling system auditing to see if you can grab some debugging info from the NIC and from IIS's protected processes. Could also be a major FTP hit. FTP services in IIS are lacking quite bad.

[admin]

When they are doing the DDOS its so bad I can not even move the mouse. Its only about 5MB but if its 5MB of small packets it can kill a server fast.. :*( I think we may have it stoped but don't hold me to that just yet..

We are also installing a new firewall in the next week or so. I hope it will help stop that kind of thing for good.

[bootNumlock]

any indication on where it is coming from???

[Brangwyn]

Wonderer the IIS logs won't help much unless its specifically port 80 or 443 traffic thats being used, most DDoS attacked using icmp or other protocols to flood the server.

Also if it was port 80 floods then turning on the logging could have larger reprecussions, the additional overhead in logging the information and the size of the files could very quickly cause the filesystem to run out of storage.

[Wonderer]

Quote:

Originally posted by admin
When they are doing the DDOS its so bad I can not even move the mouse. Its only about 5MB but if its 5MB of small packets it can kill a server fast.. :*( I think we may have it stoped but don't hold me to that just yet..

We are also installing a new firewall in the next week or so. I hope it will help stop that kind of thing for good.

You could telnet ito the server and run netstat to track connections? You may also be able to use something like blackice as a connection logger. It may degrade performance a bit, but if you only enable it 30min before you expect the hit, it would be minimised not to mention the server load should be lighter at that time anyways.

I wouldnt think leaving telnet open would be a good idea, the idea is pretty good, but telnet is not normally something one would leave open.

[Wonderer]

Quote:

Originally posted by landiserve
I wouldnt think leaving telnet open would be a good idea, the idea is pretty good, but telnet is not normally something one would leave open.

I keep it closed on all of my boxes. Just an idea though, a netloging app way be the best idea. Unless of coarse the can login to their firewall or router and find the connection there.