[nsp-sec] qwest user is misbehaving...
Smith, Donald
Donald.Smith at qwest.com
Wed Mar 26 15:33:26 EDT 2008
Has anyone heard of a nachi version that uses 61 byte echo requests
instead of the original 92 byte echo requests?
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: Justin M. Streiner [mailto:streiner at cluebyfour.org]
> Sent: Wednesday, March 26, 2008 12:02 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] qwest user is misbehaving...
>
> On Wed, 26 Mar 2008, Smith, Donald wrote:
>
> > Justin, I will check and see if I can tell what is going on.
> > Do you have any additional details wrt this traffic?
>
> Hi Don:
>
> At this point is looks like a garden variety ICMP flood. The
> packets were
> all ICMP echoes, scattered to hosts within 130.49.0.0/16 and
> 136.142.0.0/16, which are sourced from AS4130 (University of
> Pittsburgh).
>
> Packet sizes didn't look out of the ordinary, but the miscreant was
> spreading the love pretty efficiently. All of the flows I
> saw were very
> short (1-2 packets) and pretty evenly distributed through these /16s.
>
> He might have been sending special love to our DNS servers
> because those
> became unresponsive for a few until I got all of his traffic
> filtered out
> at our borders. I'll have to check our flow reports to see if he was
> doing anything special to the DNS servers...
>
> I'll be back in a bit - have to go to a meeting.
>
> jms
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list