Level 3 Hijinx…I think there is a Microsoft mole in the network.

by Josh O'Brien

I was on client site today troubleshooting some bandwidth problems. The first issue ended up being a power outage the night before had kept the edge router from coming up clean. A reload and a quick check of the config and life was good again. Currently this particular edge site for the client only has 1Mbit of their T1 and the rest is dedicated to their phone system. After being down a good portion of the morning the data link really took a hit when we got things working as email came flying in and everyone rushed our to see how their Ebay bids were going. So getting back from lunch we noticed that the link was still fully committed. The traffic pattern in PRTG indicated that it was some sort of update stream (we have fought this battle before) but with Apple Update servers blocked we were pretty sure it was not the Mac (95% of all systems on this network). However based on the network it was on and the location within that network we were left without other options. A quick, sh queue serial x/x/x on our core router showed that we had four hosts competing for the bandwidth. Two of those were to our mail server but the other two were internet sources. a quick trip to ARIN and a lookup of 216.143.70.11 showed that this was a McAffe update. A quick addition to our update server block group on our ASA (we have update servers on site at this client to better manage bandwidth) and the link settled right down. Out of curiosity I returned to the other public address I had seen in our queue, 8.255.1.254 which according to ARIN was registered to L3 communications. I tried accessing it via all the normal ports via a web browser but with not quick answer I turned to my best friend Google. Where is was my friend returned and out of those this link to Broadband Help Forums seemed the most relevant. In the end as you can see in the forum posts it was a Windows XP host just trying to get its updates. We have verified this and now we can fix the problem local or block it if it becomes a problem. In the end curiosity may have killed the cat but in this case satisfaction brought it back.

later.

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.