[nsp-sec] Please look for big flows to 194.109.5.94
Scott A. McIntyre
scott at xs4all.net
Fri Aug 28 00:27:37 EDT 2009
Hi all,
Overnight one of our router interfaces has been receiving a reasonable
amount of packet love:
1.25 Gbps @ 3.64 Mpps
The destination is 194.109.5.94, the traffic is tcp syn or udp. Most
of the tcp is bound for 80 or 21. Likely spoofed sources for most
that we see. The interface itself should probably not get much/any
traffic from anyone, anywhere, other than the odd bit of udp or icmp
in a traceroute. We're mitigating on this end, but, if you see any
reasonable flows in your network starting at Fri, Aug 28 2009,
03:01:18 UTC, or 0200, or around that time, then you've definitely got
bot.
Thank you for any assistance you may be able to provide, it's
appreciated!!
Scott A. McIntyre
XS4ALL Internet B.V.
p.s. For the curious, it's likely Romanian controlled, targeting
Undernet's "Cservice" website, which we host -- their attacks on that
directly weren't working, so they went one level higher in the trace.
Ho hum.
More information about the nsp-security
mailing list