0

I understand that this is rather a generic question but wanted to see if you all could offer some good feedback.

Our business has three locations, one in the West Coast, two in the East Coast. Our two East Coast locations seem to experience random high ingress traffic spikes causing the ISP to shut down access for high bandwidth. This triggers alerts from nagios as the nagios server is on the West Coast and is unable to connect to the remote locations. I should note that this isn't only based off nagios alerts, users in the two troublesome locations confirmed the loss of internet access. The ISP has also confirmed the temporary shut off.

That said, the ingress traffic increase is anywhere from 10-20x higher than normal usage. Business is performed as normal during these random times, nothing out of the ordinary going on.

We do not have access to the router, only the ISP does, and the ISP has confirmed that their routers are fully functional.

What could this be? Compromised machines (botnet? But why the high ingress traffic)? Bad switch (could a bad switch cause a 10-20 fold increase in ingress traffic)? I'm open to any and all ideas.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
vpaterno
  • 113
  • 1

1 Answers1

1

Maybe you are the target of some external botnet and/or extensive nmaps.

I suggest you to carefully examining what type of ingress flood you are experiencing. Maybe it is relatively innocuous (eg: incoming spam emails), but check it carefully.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • Admins put my post on hold for being to generic but I believe you may actually be on to something here. I ran nmap and found some curious ports open, I believe someone is infected and is drawing high ingress traffic as a result. We also ran some tests by shutting off some machines when traffic spiked and said traffic settled down. – vpaterno Apr 13 '15 at 20:20