[nsp-sec] DoS to 206.140.121.0/24?
Rob Thomas
robt at cymru.com
Tue Mar 4 09:40:22 EST 2008
Hey, John.
> Anyone seeing "high" rate queries from hosts in 206.140.121.0/24
> generating root referrals?
There's a bit of Storm in 206.140.121.0/24, along with a lot of
spam. We see at least three Storm samples coming from IPs in that /24:
timestamp | sha1
| md5 | dst_ip | dst_port |
protocol | size
--------------------- ------------------------------------------
---------------------------------- ----------------- ----------
---------- ------
2008-01-11 01:51:16 | 71af0874cdb19d53da1090643fc11f57fdf2c002 |
66af99bae9630cad540bf7652739fe6e | 206.140.121.108 | 7314 |
17 | 33
2008-01-15 17:46:02 | 780a1d6147fa88b1e05c03cbef6528dccadeabfa |
536b79a12733ed9cadd8f8e3a6e58726 | 206.140.121.94 | 7314 |
17 | 33
2008-01-15 20:36:33 | a16f1e178dbb5543978ef8f8b95a9cc27c801e0f |
5a64467e37d8dd13292504abb29088c5 | 206.140.121.94 | 7314 |
17 | 33
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
More information about the nsp-security
mailing list