I noticed 2 very large 'in' spikes on my MRTG daily graph. Both looked identical, 2 hours apart, both at 41.2Mbps.

I have 2 raqs at the same NOC, only noticed this on one of them. I can't even get anywhere near that speed raq to raq.

Any ideas? I can't figure out whats going on. Nothing fishy in my logs (xfer, ftp, last, history).

The only things I can think of

- Direct connect to my raq through the router
- 2 identical mistakes

In spikes? could be some sort of a Deniel of Service attack.

It's weird. It happened Sunday morning at 12:45 and 2:45. Monday, it happened at 2:45 again.

A spike of ftp traffic into the machine. Can't find anything in my logs. It's really high and short around 50Mbps.

I'm running tcpwrappers, and denying all. I don't see anything out of the ordinary in my secure logs, just the cobalt making sure services are available.

I'm not sure exactly what causes the spikes, however your not alone. Our graphs have spiked that high before on individual graphs, and even higher on the switch monitoring graphs, for no reason at all. The one thing I do know, is that the spike is not a "true" representation of the traffic the mrtg graph is looking at. It seems to be almost an error in the way mrtg looks at the information at that period... Almost like a HicUP

Thanks. At least I know that errors like this can happen.

The spike didn't return tonight.

Hopefully this will be over. It makes it hard to notice any abnormalities in my traffic due to these giant +50Mbps spikes in traffic. It hides all of my real traffic.

I'm just throwing out wild ideas here.

Nope. No backups shceduled for any of my 3 raqs includeing the one with odd traffic.

I just can't grasp anything being able to ftp into my machine at 50+Mbps.

It just seems like an error to me, but I'm paranoid.

well, it looks like these were not errors. being hit with a DDOS attack, i think, right now.

3 waves of about 30-40 Mbps traffic out, and 20 Mbps traffic in to my box.

no ftp, http, ssh etc...

it looks like the whole subnet is being affected with this traffic.

i told my host about the strange traffic i had a few days ago, they told me to check my logs, which i already had.

nothing to account for the traffic.

now the whole subnet is down.

i know nothing about these sorts of things. time to learn...

i've attached the MRTG graph for tonight.

DriverDave, I would have to agree with you, those are much longer then our so called hicups... Have you tried to run a netstat yet to see if any machines are connected to you? A sync attack could cause that much traffic. Which would not show up in your logs. However would also crap out your box.

I didn't notice anything out of the ordinary. I'm currently under attack again right now, so no access to the box.

What sort of socket connection would I be looking for? I did run netstat when I could get in, and didn't notice anything other than www connections and my ssh connect.

I think I typed netstat -a

Could you point me in a direction to learn about sync attacks? I searched google and came up rather empty.

Would this attack cause the whole subnet to go down too?

who is your backbone provider? i.e verio, sprint UUnet?

I'm at RackShack, and it looks like I'm going off their Verio OC3, according to a traceroute.

Jason - That gif of our MRTG graph was for the attack DDOS, but the spikes I spoke of in my first post were nothing like that. They were blue spikes and really short, but high, at ~40Mbps of traffic. The top of the graph was a pixel, really short duration.

Just to let everyone know, a tech from RackShack emailed me after viewing this thread and filled me in. Thanks to all for your help.

Cause - DOS attack on the switch. It looks like RS took care of it, everything seems good now.