QUOTE
TENET picked up a major issue on the International Router a short while ago. We have been working with Telkom to resolve this as a matter urgency. Our apologies that this email did not go out sooner, due to the issues revolving around the fact that all outbound traffic (including traffic from the TENET offices) is routed outbound through the International router; we were as affected by this outage as others.
At the moment while we have traffic flowing again, the router is still under extreme CPU pressure and we are attempting to find the cause for this. This may result in more network instability until such time as this is resolved. If necessary a call will be logged with Cisco in order to get assistance on this problem.
At the moment while we have traffic flowing again, the router is still under extreme CPU pressure and we are attempting to find the cause for this. This may result in more network instability until such time as this is resolved. If necessary a call will be logged with Cisco in order to get assistance on this problem.
QUOTE
After much investigation into the problems on the international router, and after liaising extensively with other industry players, we discovered that the cause of the problem was a fairly well crafted denial of service attack aimed at the cache infrastructure.
This attack is an almost identical duplicate of the attack that was launched against Internet Solutions last week, and is actually still on going as we speak. Internet Solutions was kind enough to supply us with some fairly detailed analysis of the attack from their side as well as some ideas as to how we can potentially mitigate the effects of this attack.
The attack is ICMP based, and seems to be generated by a Trojan Bot Net. It looks like the Trojan being used is something referred to as Peacomm (Trojan.Peacomm), more information can be found on this Trojan at: http://www.symantec.com/security_response/...-011917-1403-99
In the mean time, TENET has deaggregated one of its IP blocks, and removed the announcement for the block containing the cache servers. We have also removed any WCCP redirection to the cache, so we are effectively running with no cache service in place at this current point in time.
Due to the fact that we are in vacation period, we should not have any traffic problems as a result of this mitigation method, and should the attack continue we will have some time in order to plan another strategy to mitigate its effects. As such the network should be running as normal at the moment and should not be experiencing any negative impact.
This attack is an almost identical duplicate of the attack that was launched against Internet Solutions last week, and is actually still on going as we speak. Internet Solutions was kind enough to supply us with some fairly detailed analysis of the attack from their side as well as some ideas as to how we can potentially mitigate the effects of this attack.
The attack is ICMP based, and seems to be generated by a Trojan Bot Net. It looks like the Trojan being used is something referred to as Peacomm (Trojan.Peacomm), more information can be found on this Trojan at: http://www.symantec.com/security_response/...-011917-1403-99
In the mean time, TENET has deaggregated one of its IP blocks, and removed the announcement for the block containing the cache servers. We have also removed any WCCP redirection to the cache, so we are effectively running with no cache service in place at this current point in time.
Due to the fact that we are in vacation period, we should not have any traffic problems as a result of this mitigation method, and should the attack continue we will have some time in order to plan another strategy to mitigate its effects. As such the network should be running as normal at the moment and should not be experiencing any negative impact.
This problem has in fact had a slight, but noticeable impact on web traffic to international sites. You'll experience this impact as a slight delay in pages loading.