Traffic anomaly wanguard alerts for mtv2/sfo1 pbx hosts

RESOLVED WONTFIX

Status

Infrastructure & Operations
NetOps
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: pir, Assigned: dcurado)

Tracking

Details

(Reporter)

Description

2 years ago
1) Incident #28992
   Opened on: Apr 11 at 2:41 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx1.p2p.sfo1.mozilla.com (External SFO1) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28992
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.219.52
       decoder: TCP+SYN
       duration: 140
       total_pps: 856
       total_bps: 411006
       severity: 3.2400
       ip_group: External SFO1
       ip_dns: pbx1.p2p.sfo1.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Core_ border1.pao1_xe-1_2_0 {Abovenet W03180-00}]

2) Incident #28993
   Opened on: Apr 11 at 2:41 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx1.p2p.sfo1.mozilla.com (External SFO1) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28993
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.219.52
       decoder: TCP+SYN
       duration: 140
       total_pps: 856
       total_bps: 411006
       severity: 3.2400
       ip_group: External SFO1
       ip_dns: pbx1.p2p.sfo1.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Transit_ Telia (AS 1299) {IC 155747}]

3) Incident #28994
   Opened on: Apr 11 at 2:41 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx.mtv2.mozilla.com (External MTV2) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28994
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.221.35
       decoder: TCP+SYN
       duration: 140
       total_pps: 442
       total_bps: 212388
       severity: 1.7200
       ip_group: External MTV2
       ip_dns: pbx.mtv2.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Transit_ Telia (AS 1299) {IC 155747}]
(Reporter)

Comment 1

2 years ago
    Resolved by: API at Apr 11 at 2:49 PM BST
(Reporter)

Comment 2

2 years ago
1) Incident #28995
   Opened on: Apr 11 at 3:05 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx1.p2p.sfo1.mozilla.com (External SFO1) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28995
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.219.52
       decoder: TCP+SYN
       duration: 140
       total_pps: 797
       total_bps: 382743
       severity: 2.9600
       ip_group: External SFO1
       ip_dns: pbx1.p2p.sfo1.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Core_ border1.pao1_xe-1_2_0 {Abovenet W03180-00}]

2) Incident #28996
   Opened on: Apr 11 at 3:05 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx.mtv2.mozilla.com (External MTV2) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28996
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.221.35
       decoder: TCP+SYN
       duration: 140
       total_pps: 382
       total_bps: 183360
       severity: 1.4800
       ip_group: External MTV2
       ip_dns: pbx.mtv2.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Transit_ Telia (AS 1299) {IC 155747}]

3) Incident #28997
   Opened on: Apr 11 at 3:05 PM BST
   Service: Wanguard (Traffic anomalies (DDoS, high usage, etc..) and netflow collector)
   Description: Traffic anomaly detected to pbx1.p2p.sfo1.mozilla.com (External SFO1) (Thresholds Offices DDoS)
   Link: https://mozilla.pagerduty.com/i/28997
   Escalation Policy: MOC
   Details:
       direction_to_from: to
       ip: 63.245.219.52
       decoder: TCP+SYN
       duration: 140
       total_pps: 797
       total_bps: 382743
       severity: 2.9600
       ip_group: External SFO1
       ip_dns: pbx1.p2p.sfo1.mozilla.com
       template: Thresholds Offices DDoS
       anomaly: TCP+SYN pkts/s > 25
       sensor: border1.sjc2 [Transit_ Telia (AS 1299) {IC 155747}]
(Assignee)

Comment 3

2 years ago
Thank you for opening this bug.
Looks like a very brief syn flood -- not sure if "flood" is all that accurate. 
Not going to take any action on this at this time.
If it repeats, it warrants a closer look.

Thanks again.
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
(Assignee)

Updated

2 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.