[nsp-sec] TCP SYN flood (port 80) against 64.89.70.4 and 64.89.74.4 [again]
John Fraizer
john at op-sec.us
Fri Feb 29 11:41:53 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We've got an active DDoS - TCP port 80, SYN, 48 or 52 BPP with the overwhelming majority being 48BPP.
If you've got flows matching "proto tcp and flags S and (dst host 64.89.70.4 or dst host 64.89.74.4) and dst port 80" on your network, you've got bot. :)
Please do not null-route my victim IPs. That would be very bad in this case. :)
I'd love to find out what is causing this though.
John Fraizer
AS11456 | AS6981
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iD8DBQFHyDXR+16lRpJszIgRAt+DAJwKU4s/ubUFm3LS46PRfpO+HUlFtQCfQBYH
/eDpFHX9u9dWg100ZRKlcgc=
=MxoI
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list