[nsp-sec] udp/53 flood -> 64.39.129.23 - 300Kpps
Lawrence Baldwin
baldwinl at mynetwatchman.com
Tue Jul 29 12:13:02 EDT 2008
One of my customers just called a few minutes ago...thinking they were being
DDoSed..upon looking at the traffic we're seeing tremendous inbound udp/53
traffic.:
# Fields: Total
# Symbols: Disabled
# Sorting: Descending Field 4
# Name: Source/Destination IP
#
# Args: flow-stat -f 10 -S 4
#
#
# src IPaddr dst IPaddr flows octets
packets
#
193.230.175.3 64.39.129.23 11 70392634
1637038
91.121.91.179 64.39.129.23 11 70208035
1632745
Above is about 2 minutes of *sampled* netflow.
193.230.175.3|6746||ro|astral.ro|abuse at astral.ro
91.121.91.179|16276|||ovh.net|abuse at ovh.net
The nature of the IPs does NOT make sense that this would be poisoning
attempts:
..I don't have full payload yet but suspecting this may be poisoning
activity
91.121.91.179
HTTP:Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
SMTP:220 zx12r-clubdefrance.org ESMTP Postfix (Debian/GNU)
193.230.175.3 upc.topnet.ro A
Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Alpharetta, GA
+1.678.624.0924
More information about the nsp-security
mailing list