[nsp-sec] qwest user is misbehaving...
Justin M. Streiner
streiner at cluebyfour.org
Wed Mar 26 14:01:32 EDT 2008
On Wed, 26 Mar 2008, Smith, Donald wrote:
> Justin, I will check and see if I can tell what is going on.
> Do you have any additional details wrt this traffic?
Hi Don:
At this point is looks like a garden variety ICMP flood. The packets were
all ICMP echoes, scattered to hosts within 130.49.0.0/16 and
136.142.0.0/16, which are sourced from AS4130 (University of Pittsburgh).
Packet sizes didn't look out of the ordinary, but the miscreant was
spreading the love pretty efficiently. All of the flows I saw were very
short (1-2 packets) and pretty evenly distributed through these /16s.
He might have been sending special love to our DNS servers because those
became unresponsive for a few until I got all of his traffic filtered out
at our borders. I'll have to check our flow reports to see if he was
doing anything special to the DNS servers...
I'll be back in a bit - have to go to a meeting.
jms
More information about the nsp-security
mailing list