Random Flooding of TCP Retransmissions
Hi guys,
So I have a small WISP, and at random times I get a flood of TCP Retransmission packets that slows down the entire network:
http://i64.tinypic.com/t0lun9.jpg
With a delayed struggle I can access the core Mikrotik and drop all packets from the originating IP, and immediately this behaviour stops. I have rules to detect a DDoS attack but this random behaviour doesn't trigger any of those, and normally this doesn't last longer than about 5 to 10 minutes. It is however super annoying as immediately latency to the internet jumps through the roof and throughput dies to a complete standstill.
Does anyone have any advice in terms of what could be causing this and more importantly, how one can prevent it?
Thanks a million.
Best Regards,
The picture has added little information to what you wrote, except that low ports (282, 284, 285, 286, 287), IANA-assigned to quite old and thus rarely used application protocols, are used at the remote side, while a "high" port is used on the "local" side. What is even more unusual, the same "high" port is used for all those sessions.
To find out what's really going on, I'm afraid your only chance is to take a large disk and start capturing the complete traffic on the internet-facing interface into a circular buffer of files using dumpcap or tcpdump, because you need to see what has happened before this flood. I have seen tons of packets knocking on three ports of the public address of my internet gateway and it came out it was a consequence of some of the machines in the internal network to take part in ...(more)
I agree you have to capture. Maybe you some kind of loop or so sometimes in your network???? Without a trace it is hard to tell. But I would also look at all switch logs.