We are having a very strange issue. On Tuesday 4.25.2006, we started noticing that our inbound bandwidth was being maximized. We could not determine which hosts were causing the problem, so we installed iftop (btw, very helpful tool!). The top two hosts were using around 500K of bandwidth each and the rest were lower. Needless to say, our internet was crawling and our voip system inoperable.
The hosts in question were as follows:
206.232.140.14
206.24.192.222
206.24.192.252
207.46.13.30
208.172.158.222
208.172.44.190
216.52.219.160
63.236.48.222
64.62.243.215
65.57.243.215
65.57.86.62
65.98.23.174
66.142.254.157
66.77.84.94
68.120.74.254
Naturally, I assumed this was some sort of DDOS attack and entered these host IP's as definitions and blocked all traffic from these IPs using the packet filter rules. Strangely, however, even though they were blocked in the packet filter iftop was still showing them as connected to the asg on port 80. Very odd indeed! Even more odd was that despite adding these hosts to the filter, 20 minutes would pass and yet ANOTHER DIFFERENT host would be connected on port 80 to the external address of the asg.
I began looking at the possible causes and was able to narrow it down the the HTTP Proxy and/or Cobion Surf Protection. When I disabled the HTTP Proxy (transparent mode), the issue disappeared. Further when I disabled the Surf Control (with the Proxy in transparent mode), it also disappeared. It is now running HTTP Proxy in transparent mode with Surf Control off.
Is this a possible issue with the definition file or something on the Cobion? Has anyone else experienced similar issues?
This thread was automatically locked due to age.
