[nsp-sec] irc controller on 17974 | 202.134.0.199 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia

[Smith, Donald]

We are seeing a small random src/dst port udp attack that appears to be controlled via irc (6667) from this system.
17974   | 202.134.0.199    | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
 
The attackers are attacking several hosting sites/systems not sure what their motive is.
Occationally the attack moves to upd src=0 dst=0 but so far all the attack traffic is udp.
It could be spoofed but the engress interfaces are constant so I doubt it.
 
If someone could check out the server I believe we could shut it down as a c&c.
If you know which bot network this is I am interested in that but stopping the flood is more important.
It isn't a huge flood. We are handling it ok but the customer wouldn't mind if it stopped:)
 
donald.smith at qwest.com giac


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.