Performance issues
Thousands of computers a government unit, with high-end firewall and IDS products, the Internet suddenly slow, the phenomenon can not even open a web page. Carried out in the engine room ping package testing, the center switch to the internal host ping packet response time normally, but when ping external DNS response time is longer, and an intermittent packet loss. Log on to the switch, find the switch occupancy load more, but not the firewall and IDS alarm incident. Check the switch ARP table was not aware that unusual, so clear the switch ARP table and restart the switch, but the fault still exists.
Analysis
First, examine the data on the network, managers get caught using network analysis software analysis, network analysis software deployed in the central collection link exchange. Network analysis software to obtain a large number of real data, the data from the results of the analysis, managers find the following questions:
1. Almost paralyzed due to network, network traffic is not high, less than two minutes of traffic 140MB, but the network connection is very high, up to 16,540 times; sorted by the number of connections to find the maximum number of connections the IP address is 10.8.24.xx, within two minutes to send and receive traffic only 133M, but the number of connections is much higher than other IP.
2. 445 port network analysis showed that the number of requests high, and both from the host IP for the 10.8.24.xx. From the data, it is all in net inward IP port 445 to send a request packet to generate up to 140 frequencies per second.
Solution
1. Isolation. Managers identified the problem, the first measures taken by the source separation problem, unplug the switch cable 10.8.24.xx machine, restore the entire network, ping response time outside the normal IP network, you can visit the website normally.
2. Troubleshooting. When the host 10.8.24.xx inspection found that it was going to download a large number of BT, BT is a point to point transmission, will occupy a lot of network resources, thus affecting the speed of normal network access, the network will become very slow. In addition, on 10.8.24.xx inspection, this host is an important one within the network server, in a new worm, and a great deal, including network scanning attacks. Managers through Zhuanshagongju virus, the server returned to normal.