[nsp-sec] ACK RE: Please look for big flows to 194.109.5.94
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Fri Aug 28 15:18:45 EDT 2009
Heyo, Scott!
I got nothing.
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Scott A.
McIntyre
Sent: Friday, August 28, 2009 12:28 AM
To: NSP nsp-security
Subject: [nsp-sec] Please look for big flows to 194.109.5.94
----------- nsp-security Confidential --------
Hi all,
Overnight one of our router interfaces has been receiving a reasonable
amount of packet love:
1.25 Gbps @ 3.64 Mpps
The destination is 194.109.5.94, the traffic is tcp syn or udp. Most of
the tcp is bound for 80 or 21. Likely spoofed sources for most that we
see. The interface itself should probably not get much/any traffic from
anyone, anywhere, other than the odd bit of udp or icmp in a traceroute.
We're mitigating on this end, but, if you see any reasonable flows in
your network starting at Fri, Aug 28 2009,
03:01:18 UTC, or 0200, or around that time, then you've definitely got
bot.
Thank you for any assistance you may be able to provide, it's
appreciated!!
Scott A. McIntyre
XS4ALL Internet B.V.
p.s. For the curious, it's likely Romanian controlled, targeting
Undernet's "Cservice" website, which we host -- their attacks on that
directly weren't working, so they went one level higher in the trace.
Ho hum.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list