[nsp-sec] Please look for big flows to 194.109.5.94
Scott A. McIntyre
scott at xs4all.net
Fri Aug 28 09:57:43 EDT 2009
On Aug 28, 2009, at 06:27 , Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
>
>
> Hi all,
>
> Overnight one of our router interfaces has been receiving a
> reasonable amount of packet love:
>
> 1.25 Gbps @ 3.64 Mpps
>
> The destination is 194.109.5.94, the traffic is tcp syn or udp.
> Most of the tcp is bound for 80 or 21. Likely spoofed sources for
> most that we see. The interface itself should probably not get much/
> any traffic from anyone, anywhere, other than the odd bit of udp or
> icmp in a traceroute. We're mitigating on this end, but, if you see
> any reasonable flows in your network starting at Fri, Aug 28 2009,
> 03:01:18 UTC, or 0200, or around that time, then you've definitely
> got bot.
The flows to the target mentioned reached a height of just under 15
million packets per second of love. It's actually the second such
attack, the first being 22:36, Aug 20 2009, again, UTC +0200.
Many many thanks to the community for your help thusfar, both the
ACK'ers who stomped on sources and the NACK'ers who checked.
Other targets that are feeling love for this same attack:
194.109.20.90
194.109.147.174
Both should have *some* traffic, but certainly not hundreds or
thousands of packets per second. They're getting around 500K to
800Kpps at the moment as well.
My Peakflow is a sea of red today...yay!
Thanks again,
Scott
--
XS4ALL Internet B.V.
More information about the nsp-security
mailing list