I'd be interested to see a packet capture as well or hear something from staff.
Considering the amount of trouble this has caused I imagine this is something more custom built which mimics legitimate traffic. Login server login attempts or something like that.
Then I would guess there is a firewall rule which watches for X packets per Y time to the server which is considered abnormal and blacklists the IP for some period of time.
So, every time there is a lag spike its when the attack starts from a new collection of IPs which must be allowed access for a period of time to determine if they are malicious or not.
This is all just a rough guess but hopefully it provides some insight into how these things work for those who are curious.
|