|
Hi,
Regarding the logs I sent earlier, the .33 IP is not the address of the
webserver getting all the traffic, it's out of the range (the proper IP
being .43)
I'm still continuing my investigations.
Our agregation switch graph shows clearly that the load balancer lost
all incoming traffic, and that the web3 server took it all.
This seem to confirm that for some reasons the load balancer address was
taken by that web3 server, or something made our ISP router think so
(forged/spoofed packets ?)
As a sidenote, we have more than one IP range going on that link, and
sending arp request to an IP not in our ranges give us as answer the
router IP (arp proxy) - but if that had been the issue the traffic
couldn't have gone to our web3 server without reasons.
If anyone got a clue on how this could have happened ... I'd be glad to
know :)
I'm checking out how my setup work right now regarding to gratuitous arp
broadcases and general arp answers.
In the meantime I've increased monitoring of suspicious activities to be
able to react fast.
Thanks for listening,
--
Mathieu Massebœuf
|
