Troubleshooting failed Internet accesses

For the last few days I had noticed that something really odd was happening. Soon after I would start a torrent to download some VirtualBox appliance , all new Internet accesses would stop. Existing connections would continue to work--for example, a file that was being downloaded before I started the torrent continued to download but a new tab in Firefox would refuse to open. After some time (more than 30 minutes by my guess), the operation would resume to normal. This baffled me so I started to investigate this more systematically.

First I observed that this phenomenon did not appear necessarily after starting the first of many torrents. So clearly something was getting precipitated due to the torrent starting up and not simply because a torrent was active. Next, when the phenomenon was active, I tried pinging Google's DNS servers. They worked fine. Next I tried to SSH into a remote machine in USA. The connection failed. So I tried to SSH into a machine on the LAN. The connection failed again. Clearly something was blocking only TCP traffic.

Next I forced a switch of my IP address. Immediately, all websites i.e. new web connections opened up fine. So it appeared that this blocking was attached to the IP address. I still did not know whether it was being blocked on my machine or on the network. So I installed Wireshark and snooped on my local outbound network traffic. Everything appeared fine. Then I started a couple of torrents. I saw a flurry of new TCP and UDP connections. Then, I tried opening up a new Firefox tab to Yahoo . Wireshark showed that no SYN ACK packets were coming back. That was it. The blocking was occuring on the network.

Since I was accessing the Internet using a college's LAN who had their own commercial UTM box, I had to walk up to the college system administrator. I explained to him the problem but he did not have any significant insight into the matter. He said that by default no traffic was blocked---even torrents. So I persuaded him to let me look the at the UTM interface. The UTM was a Cyberoam 50i device. After some half an hour of trying to figure out which of the settings affected what, I had a nagging suspicion about one of the parameters.

A quick call to Cyberoam and my suspicion was confirmed. It turned out that the UTM firewall limited the maximum number of new connections per minute per user (essentially IP address). If the threshold was crossed---and this is what surprised me---the machine was blocked from making any new connections for a certain period of time. So essentially, even as existing connections from the machine steadily dropped to zero, the machine was not allowed to make new connections. Clearly, this was done to prevent a classic DoS attack and to give time to the network administrator to investigate if the flurry of new connections was an attack or a genuine request from a user. Nevertheless this was inconvenient to me. So we increased the threshold values for maximum number of connections by an order of magnitude. No doubt if someone does attack the UTM, it will be harder to detect now, but that is unlikely from within the college network. For my part though, I have not seen that phenomenon recur again.