[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20040329: IDD/LDM - RPC Question



Patrick,

>Date: Mon, 29 Mar 2004 09:45:08 -0700
>From: Unidata Support <address@hidden>
>Organization: University of Northern Illinois
>To: address@hidden
>Subject: 20040329: IDD/LDM - RPC Question

The above message contained the following:

> I was contacted by our university network admin this morning about about a
> problem over the weekend between my upstream feed and my machine that
> triggered an intrusion detection on his end.  It seems that the upstream
> feed was sending "incomplete RPC segments" and "multiple RPC records" WAY
> above normal.  For example, on Friday, about 15,000 were detected, but over
> the weekend, 2.8 million and 2.45 million were detected, triggering a report
> to him.  I see no problems in my machine's logs, in latencies over the
> weekend, or in the data itself.  I also am not a networking expert, and was
> wondering if anyone could help explain what feature of the LDM/IDD could
> cause this, so I can put his mind at ease, for this case and in the event of
> future problems.  I have pretty much convinced him that it isn't malicious
> communication, but want to provide a bit more info to him.  Thanks!

It could be that the connection was broken for some reason and when
re-established later, the downstream LDM requested all the data that it 
missed.  This would appear as a continuous slew of RPC messages until
the downstream LDM caught up.

If the RPC messages were to a downstream LDM, then no harm can come to
the system.

Regards,
Steve Emmerson
LDM Developer