[technique] Incident : VLAN FranceIX 4032 sature 15h43-16h15

Laurent GUERBY laurent at guerby.net
Lun 18 Aou 16:35:46 CEST 2014 

Bonjour,

Vers 15h43 (13h43 TTC) le port du VLAN France-IX 4032 sur notre switch a
TLS00 s8 (24) s'est mis a recevoir jusqu'a 1 million de paquet par
seconde et jusqu'a 800 Mbit/s de traffic :

http://pano.tetaneutral.net/data/bw/vlan-4032-franceix-20140818-bw.png
http://pano.tetaneutral.net/data/bw/vlan-4032-franceix-20140818-pps.png

Via tcpdump ci-apres nous recevions du traffic non broadcast mais pas
destiné a notre MAC. Comme le lien gigabit entre TLS00 et Myrys prolonge
ce VLAN cela a perturbé le traffic sur une partie du reseau
tetaneutral.net (hebergement Myrys, radio Toulouse).

Nous avons donc pris la decision de couper le VLAN 4032 sur le port 24
du switch s8 ce qui a rétabli la situation vers 16h15, merci a Mehdi
pour son intervention sur le switch.

Sincérement,

Laurent

PS: notre MAC sur France-IX est 00:01:2e:2b:d2:07 

tcpdump sur une interface avec VLAN 4032 taggué
10:23:22.250924 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8121 > 37.49.236.229.179: S 2214955205:2214955205(0) win 65000 <mss 1460>
10:23:22.254295 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8121 > 37.49.236.229.179: S 2214955205:2214955205(0) win 65000 <mss 1460>
10:23:22.257017 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8223 > 37.49.236.229.179: S 2254946222:2254946222(0) win 65000 <mss 1460>
10:23:22.260102 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8052 > 37.49.236.229.179: S 2234955820:2234955820(0) win 65000 <mss 1460>
10:23:22.262470 84:b5:9c:05:39:fb > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 82: vlan 4032, p 0, ethertype IPv4, 37.49.236.227.56340 > 37.49.236.229.179: S 1897614667:1897614667(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 2170881914 0,sackOK,eol>
10:23:22.264140 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8052 > 37.49.236.229.179: S 2234955820:2234955820(0) win 65000 <mss 1460>
10:23:22.267894 00:0c:db:ff:0f:00 > 00:16:3e:56:4e:09, ethertype 802.1Q (0x8100), length 114: vlan 4032, p 0, ethertype IPv4, 213.246.61.65 > 37.49.236.54: ICMP echo request, id 14663, seq 3305, length 76
10:23:22.270947 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8227 > 37.49.236.229.179: S 2219954762:2219954762(0) win 65000 <mss 1460>
10:23:22.271538 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8097 > 37.49.236.229.179: S 2295220216:2295220216(0) win 65000 <mss 1460>
10:23:22.248985 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8153 > 37.49.236.229.179: S 2224951352:2224951352(0) win 65000 <mss 1460>
10:23:22.249203 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8023 > 37.49.236.229.179: S 2176201340:2176201340(0) win 65000 <mss 1460>
10:23:22.249591 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8052 > 37.49.236.229.179: S 2234955820:2234955820(0) win 65000 <mss 1460>
10:23:22.249851 84:b5:9c:05:39:fb > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 82: vlan 4032, p 0, ethertype IPv4, 37.49.236.227.61297 > 37.49.236.229.179: S 3582620762:3582620762(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 2170581570 0,sackOK,eol>
10:23:22.250137 84:b5:9c:05:39:fb > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 82: vlan 4032, p 0, ethertype IPv4, 37.49.236.227.62528 > 37.49.236.229.179: S 1990506780:1990506780(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 2170426569 0,sackOK,eol>
10:23:22.250464 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8122 > 37.49.236.229.179: S 2198206289:2198206289(0) win 65000 <mss 1460>
10:23:22.250809 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8067 > 37.49.236.229.179: S 2188196351:2188196351(0) win 65000 <mss 1460>
10:23:22.251048 00:0c:db:ff:0f:00 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 64: vlan 4032, p 0, ethertype IPv4, 37.49.236.10.8089 > 37.49.236.229.179: S 2278474383:2278474383(0) win 65000 <mss 1460>
10:23:22.251423 6c:9c:ed:04:2f:44 > 90:e2:ba:4e:21:7b, ethertype 802.1Q (0x8100), length 102: vlan 4032, p 0, ethertype IPv4, 212.83.129.111 > 37.49.237.14: ICMP echo request, id 21120, seq 10, length 64
10:23:22.251804 84:b5:9c:05:39:fb > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 82: vlan 4032, p 0, ethertype IPv4, 37.49.236.227.62528 > 37.49.236.229.179: S 1990506780:1990506780(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 2170426569 0,sackOK,eol>
10:23:22.252187 6c:9c:ed:04:2f:44 > 00:19:e8:ea:9e:90, ethertype 802.1Q (0x8100), length 102: vlan 4032, p 0, ethertype IPv4, 212.83.129.111 > 37.49.236.229: ICMP echo request, id 21108, seq 3, length 64
10:23:22.252457 00:11:92:bd:cf:19 > 00:30:48:8a:86:89, ethertype 802.1Q (0x8100), length 66: vlan 4032, p 0, ethertype IPv4, 37.49.236.82.36709 > 37.49.236.55.179: S 3635381382:3635381382(0) win 16384 <mss 1460,sackOK,eol>

Plus d'informations sur la liste de diffusion technique