Does this look like BOT DOS to you?

Unanswered Question
Oct 22nd, 2008

I had a Sudden increase of traffic to a port :80 from several IP's. This triggered the "Sudden increase of traffic to a port" rule in MARS.

Looking at the PC's (Win XP SP2) involved they all had a TCP error # 4226 at the time of incident. 4226 is - TCP/IP reached limits of # of concurrent tcp connection.

The incident was sourced 30 times from 3 different internal PC's to (Akamai Tech -a company that provides a distributed computing platform for global Internet content and application delivery) all within and at the same second

How could I get more information to determine if my PC's played a role in bot like activity? All scans of the PC are clean.

Thoughts? Ideas?

Thanks guys

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 10/22/2008 - 10:44

You could capture the traffic via ASA (capture cmd), IPS capture, Switch SPAN/VACL etc. and then analyze it using wireshark. But to be honest multiple connections to Akamai servers and Windows update is normal for most windows boxes on which websites are browsed. In fact I had to add a 'deny packet' exclusion on our MARS because the FWSM/Netscreen kept sending deny syslogs to Akamai servers from numerous users. They are mostly on non standard ports.



kutukutu9 Wed, 10/22/2008 - 11:56

Hey Happs - you're always helpful, thanks.

It has only happened once so far so I'll do that if it happens again on that same des IP but Akami has a /15 network so..

But you stated multi connection are normal to Akami - I guess it could happen if they visited a site which contained multiple links to the akami des ip.. I didn't see that in the cookie history though. And what are the chances of that happening from 3 source ip's within the same time frame?

Now withstanding, based on the message on my windows box "max tcp connection request" and the port the request were made on "port 80" it seems as if it was a http DOS attack from my network to Akamai.

What can I do to further investigate this? or?

Farrukh Haroon Wed, 10/22/2008 - 12:14

Which device is reporting this into MARS? An IPS or a firewall?

HTTP is a cleartext protocol, your best bet would be to check using a packet sniffer. You will see all HTTP requests captured in clear for analysis. Yes it is normal for three hosts to connect to AKAMAI at once.

AKAMAI can be sometimes notorious, so I would not worry about the too much. Just block if you don't want this happening:



kutukutu9 Wed, 10/22/2008 - 12:53

I understand the capture piece - however I would overload my firewall captureing packets for all port 80 packets destin for port 80 at Akami's /15 network =)

I here you 100% and agree with your statements and links about Akami

But the time stamps on this event make me wonder how and why only three pc's in my network try to connect to Akami all within the same window of time (4 seconds or so) and each PC violated the "worm prevention" method used by windows xp which stops/logs each time more than 10 concurent tcp sessions are opened to a single source. It's just very odd.


This Discussion