[nsp-sec] Please look for big flows to 194.109.5.94
Zane Jarvis
zane at auscert.org.au
Fri Aug 28 01:39:01 EDT 2009
NACK from here.
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
> Sent: Friday, 28 August 2009 2:28 PM
> To: NSP nsp-security
> Subject: [nsp-sec] Please look for big flows to 194.109.5.94
>
> ----------- nsp-security Confidential --------
>
>
> Hi all,
>
> Overnight one of our router interfaces has been receiving a reasonable
> amount of packet love:
>
> 1.25 Gbps @ 3.64 Mpps
>
> The destination is 194.109.5.94, the traffic is tcp syn or udp. Most
> of the tcp is bound for 80 or 21. Likely spoofed sources for most
> that we see. The interface itself should probably not get much/any
> traffic from anyone, anywhere, other than the odd bit of udp or icmp
> in a traceroute. We're mitigating on this end, but, if you see any
> reasonable flows in your network starting at Fri, Aug 28 2009,
> 03:01:18 UTC, or 0200, or around that time, then you've definitely got
> bot.
>
> Thank you for any assistance you may be able to provide, it's
> appreciated!!
>
> Scott A. McIntyre
> XS4ALL Internet B.V.
>
> p.s. For the curious, it's likely Romanian controlled, targeting
> Undernet's "Cservice" website, which we host -- their attacks on that
> directly weren't working, so they went one level higher in the trace.
> Ho hum.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list