[nsp-sec] Got traffic? - DDoS
John Fraizer
john at op-sec.us
Thu Jul 16 11:50:17 EDT 2009
Note that the RFC1918 space is showing up there not because of spoofing but
because I'm seeing all of the VRFs in my flows. We have multi-site
customers who use a "hub" site to NAT their traffic towards the global
internet. I'll see both their RFC1918 packet and the one after it gets
NAT'd in my flows.
On Thu, Jul 16, 2009 at 3:48 PM, John Fraizer <john at op-sec.us> wrote:
> Over the past 30 mins:
>
> nfdump filter:
> host in [156.154.100.3 156.154.101.3 156.154.102.3 156.154.103.3]
> Top 500 IP Addr ordered by flows:
> Date first seen Duration Proto IP Addr Flows
> Packets Bytes pps bps bpp
> 2009-07-16 14:59:30.928 2111.256 any 156.154.101.3 280
> 284 37114 0 140 130
> 2009-07-16 14:57:54.940 2202.136 any 156.154.102.3 253
> 256 31720 0 115 123
> 2009-07-16 14:58:09.948 2156.384 any 156.154.103.3 241
> 243 29469 0 109 121
> 2009-07-16 14:59:25.996 2101.540 any 156.154.100.3 214
> 216 25891 0 98 119
> 2009-07-16 14:58:47.600 2139.936 any 216.199.54.x 120
> 120 16345 0 61 136
> 2009-07-16 15:00:31.592 2004.224 any 70.43.63.22x 64
> 64 8693 0 34 135
> 2009-07-16 14:59:30.928 2081.552 any 216.23.111.1x 61
> 61 7693 0 29 126
> 2009-07-16 15:00:44.240 1876.716 any 70.43.63.22x 57
> 57 6451 0 27 113
> 2009-07-16 14:59:57.036 2056.368 any 70.43.63.22x 56
> 56 6905 0 26 123
> 2009-07-16 14:59:48.156 2017.944 any 70.43.63.22x 54
> 54 6772 0 26 125
> 2009-07-16 14:59:51.436 2083.748 any 66.240.67.23x 52
> 52 7601 0 29 146
> 2009-07-16 14:59:57.312 2059.060 any 66.147.19.1x 51
> 54 5271 0 20 97
> 2009-07-16 14:59:50.108 1924.008 any 216.199.46.1x 48
> 48 6755 0 28 140
> 2009-07-16 14:58:43.748 1880.340 any 209.177.210.12x 36
> 44 4366 0 18 99
> 2009-07-16 15:00:09.860 2003.616 any 216.199.0.13x 29
> 29 3713 0 14 128
> 2009-07-16 14:59:51.272 1918.004 any 70.43.63.10x 25
> 25 3218 0 13 128
> 2009-07-16 14:57:54.940 2063.616 any 70.43.63.9x 24
> 24 2953 0 11 123
> 2009-07-16 15:03:40.240 1667.028 any 70.43.63.9x 22
> 22 2588 0 12 117
> 2009-07-16 15:00:22.072 1844.452 any 70.43.63.9x 15
> 15 2198 0 9 146
> 2009-07-16 15:00:01.600 1917.544 any 74.223.88.23x 12
> 12 1235 0 5 102
> 2009-07-16 15:05:44.612 1476.280 any 70.43.30.12x 12
> 12 1115 0 6 92
> 2009-07-16 15:01:39.032 70.152 any 69.38.26.15x 9
> 9 871 0 99 96
> 2009-07-16 14:59:51.904 877.108 any 70.43.162.19x 8
> 8 1033 0 9 129
> 2009-07-16 14:59:57.816 1951.560 any 65.97.154.3x 7
> 7 985 0 4 140
> 2009-07-16 15:01:08.884 1866.852 any 216.54.168.6x 7
> 7 1077 0 4 153
> 2009-07-16 15:23:17.200 343.440 any 65.23.34.9x 7
> 7 653 0 15 93
> 2009-07-16 15:07:56.388 1417.812 any 75.77.140.20x 6
> 6 699 0 3 116
> 2009-07-16 15:10:13.464 541.968 any 66.148.156.16x 5
> 5 412 0 6 82
> 2009-07-16 15:01:15.852 1085.868 any 174.141.8.15x 5
> 5 464 0 3 92
> 2009-07-16 15:03:27.968 1332.924 any 70.46.31.10x 5
> 5 551 0 3 110
> 2009-07-16 15:22:10.336 415.888 any 74.223.40.17x 4
> 4 470 0 9 117
> 2009-07-16 15:06:25.828 1600.196 any 74.223.184.25x 4
> 4 367 0 1 91
> 2009-07-16 15:09:37.324 1436.776 any 70.43.63.2x 4
> 4 651 0 3 162
> 2009-07-16 15:14:37.364 509.448 any 64.19.2.22x 4
> 4 333 0 5 83
> 2009-07-16 15:04:35.820 1514.620 any 216.199.46.1x 4
> 4 579 0 3 144
> 2009-07-16 15:09:21.128 112.084 any 64.19.58.8x 4
> 4 404 0 28 101
> 2009-07-16 15:07:39.244 1277.788 any 70.46.90.14x 4
> 4 453 0 2 113
> 2009-07-16 15:16:58.092 171.844 any 216.199.81.19x 4
> 4 575 0 26 143
> 2009-07-16 15:04:08.128 1539.084 any 216.199.127.6x 3
> 3 456 0 2 152
> 2009-07-16 15:24:37.188 418.488 any 216.215.144.4x 3
> 3 591 0 11 197
> 2009-07-16 15:03:52.732 1614.108 any 216.215.215.19x 3
> 3 243 0 1 81
> 2009-07-16 15:20:46.440 212.544 any 192.168.0.x 3
> 3 175 0 6 58
> 2009-07-16 15:15:54.504 981.740 any 198.136.38.x 3
> 3 252 0 2 84
> 2009-07-16 15:20:36.348 44.296 any 174.141.40.7x 3
> 3 418 0 75 139
> 2009-07-16 15:00:33.948 1319.940 any 66.147.47.15x 3
> 3 387 0 2 129
> 2009-07-16 15:14:39.990 1197.086 any 216.199.46.10x 3
> 3 292 0 1 97
> 2009-07-16 15:32:02.012 5.076 any 66.83.86.x 2
> 2 1152 0 1815 576
> 2009-07-16 15:07:16.964 884.172 any 70.46.235.17x 2
> 2 338 0 3 169
> 2009-07-16 15:03:08.964 1876.320 any 66.64.141.24x 2
> 2 175 0 0 87
> 2009-07-16 15:09:35.316 526.794 any 74.223.63.14x 2
> 2 232 0 3 116
> 2009-07-16 15:32:18.189 13.602 any 72.17.156.3x 2
> 2 138 0 81 69
> 2009-07-16 14:59:51.500 938.108 any 68.143.84.1x 2
> 2 161 0 1 80
> 2009-07-16 15:03:44.896 1438.384 any 68.143.99.16x 2
> 2 248 0 1 124
> 2009-07-16 15:06:29.932 393.056 any 74.223.151.x 2
> 2 177 0 3 88
> 2009-07-16 15:10:30.260 703.192 any 68.143.171.1x 2
> 2 154 0 1 77
> 2009-07-16 15:09:36.312 1214.448 any 66.83.201.2x 2
> 2 210 0 1 105
> 2009-07-16 15:03:54.704 0.208 any 68.143.242.21x 2
> 2 297 9 11423 148
> 2009-07-16 15:08:52.720 2.796 any 66.83.220.14x 2
> 2 425 0 1216 212
> 2009-07-16 15:03:42.544 184.728 any 72.17.216.10x 2
> 2 248 0 10 124
> 2009-07-16 15:15:31.976 605.484 any 209.248.130.17x 2
> 2 131 0 1 65
> 2009-07-16 15:20:18.496 253.428 any 66.49.75.5x 2
> 2 310 0 9 155
> 2009-07-16 15:22:12.176 251.132 any 209.248.143.8x 2
> 2 335 0 10 167
> 2009-07-16 15:01:15.256 1477.080 any 64.90.25.12x 2
> 2 291 0 1 145
> 2009-07-16 15:09:09.984 6.748 any 66.240.103.5x 2
> 2 321 0 380 160
> 2009-07-16 15:20:53.192 549.204 any 70.43.63.1x 2
> 2 316 0 4 158
> 2009-07-16 15:23:57.676 372.772 any 205.167.158.1x 2
> 2 168 0 3 84
> 2009-07-16 15:07:13.072 1557.764 any 64.16.188.10x 2
> 2 268 0 1 134
> 2009-07-16 15:12:52.948 536.520 any 70.46.105.9x 2
> 2 245 0 3 122
> 2009-07-16 15:30:48.720 1.744 any 174.141.8.22x 2
> 2 240 1 1100 120
> 2009-07-16 15:07:14.612 1534.712 any 174.141.11.14x 2
> 2 261 0 1 130
> 2009-07-16 15:10:04.604 0.040 any 75.77.48.10x 2
> 2 240 49 47999 120
> 2009-07-16 15:02:22.144 1222.840 any 65.97.128.17x 2
> 2 132 0 0 66
> 2009-07-16 15:13:52.820 785.516 any 216.199.54.1x 2
> 2 278 0 2 139
> 2009-07-16 15:03:30.968 0.000 any 198.136.41.6x 1
> 1 141 0 0 141
> 2009-07-16 15:22:47.192 0.000 any 68.143.16.23x 1
> 1 132 0 0 132
> 2009-07-16 15:25:57.820 0.000 any 66.148.131.x 1
> 1 110 0 0 110
> 2009-07-16 15:33:20.624 0.000 any 216.199.254.8x 1
> 1 141 0 0 141
> 2009-07-16 15:04:13.208 0.000 any 216.215.236.10x 1
> 1 162 0 0 162
> 2009-07-16 15:02:45.740 0.000 any 216.199.232.11x 1
> 1 155 0 0 155
> 2009-07-16 15:29:39.928 0.000 any 66.49.60.5x 1
> 1 128 0 0 128
> 2009-07-16 15:29:57.640 0.000 any 209.177.201.6x 1
> 1 121 0 0 121
> 2009-07-16 15:06:38.380 0.000 any 216.199.209.x 1
> 1 79 0 0 79
> 2009-07-16 14:59:39.444 0.000 any 70.46.186.4x 1
> 1 64 0 0 64
> 2009-07-16 14:58:09.948 0.000 any 66.83.172.2x 1
> 1 66 0 0 66
> 2009-07-16 15:05:19.156 0.000 any 70.43.198.1x 1
> 1 64 0 0 64
> 2009-07-16 15:29:04.732 0.000 any 66.83.167.24x 1
> 1 103 0 0 103
> 2009-07-16 15:00:03.328 0.000 any 216.199.71.25x 1
> 1 70 0 0 70
> 2009-07-16 15:05:46.328 0.000 any 66.83.143.7x 1
> 1 115 0 0 115
> 2009-07-16 15:28:06.028 0.000 any 66.83.110.15x 1
> 1 74 0 0 74
> 2009-07-16 15:04:30.758 0.000 any 216.23.125.3x 1
> 1 72 0 0 72
> 2009-07-16 15:03:21.968 0.000 any 158.158.239.1x 1
> 1 75 0 0 75
> 2009-07-16 15:34:10.812 0.000 any 66.64.216.17x 1
> 1 64 0 0 64
> 2009-07-16 15:31:44.696 0.000 any 70.46.40.23x 1
> 1 70 0 0 70
> 2009-07-16 15:04:04.772 0.000 any 66.83.78.10x 1
> 1 114 0 0 114
> 2009-07-16 15:20:46.091 0.000 any 70.46.29.3x 1
> 1 77 0 0 77
> 2009-07-16 15:01:08.252 0.000 any 70.46.235.1x 1
> 1 139 0 0 139
> 2009-07-16 15:25:25.504 0.000 any 70.46.235.9x 1
> 1 131 0 0 131
> 2009-07-16 15:31:23.268 0.000 any 75.77.127.13x 1
> 1 104 0 0 104
> 2009-07-16 15:01:50.072 0.000 any 66.49.109.20x 1
> 1 222 0 0 222
> 2009-07-16 15:02:11.065 0.000 any 70.46.171.4x 1
> 1 114 0 0 114
> 2009-07-16 15:08:18.296 0.000 any 65.23.25.12x 1
> 1 63 0 0 63
> 2009-07-16 15:04:48.996 0.000 any 68.143.168.19x 1
> 1 217 0 0 217
> 2009-07-16 15:21:00.304 0.000 any 68.143.161.13x 1
> 1 103 0 0 103
> 2009-07-16 15:30:50.520 0.000 any 66.83.179.22x 1
> 1 137 0 0 137
> 2009-07-16 15:10:50.360 0.000 any 68.143.74.1x 1
> 1 179 0 0 179
> 2009-07-16 15:19:29.116 0.000 any 70.46.40.24x 1
> 1 215 0 0 215
> 2009-07-16 15:14:09.028 0.000 any 74.223.65.3x 1
> 1 153 0 0 153
> 2009-07-16 15:27:58.988 0.000 any 68.143.6.7x 1
> 1 117 0 0 117
> 2009-07-16 15:34:42.184 0.000 any 66.64.157.3x 1
> 1 141 0 0 141
> 2009-07-16 15:10:02.320 0.000 any 74.223.186.1x 1
> 1 114 0 0 114
> 2009-07-16 15:09:15.932 0.000 any 209.177.231.13x 1
> 1 78 0 0 78
> 2009-07-16 15:15:27.344 0.000 any 216.116.167.3x 1
> 1 69 0 0 69
> 2009-07-16 15:17:40.532 0.000 any 66.148.157.16x 1
> 1 57 0 0 57
> 2009-07-16 15:28:37.368 0.000 any 209.177.234.24x 1
> 1 215 0 0 215
> 2009-07-16 15:23:12.428 0.000 any 64.19.42.13x 1
> 1 81 0 0 81
> 2009-07-16 15:30:36.692 0.000 any 70.46.235.18x 1
> 1 139 0 0 139
> 2009-07-16 15:19:25.536 0.000 any 209.50.110.8x 1
> 1 66 0 0 66
> 2009-07-16 15:06:16.736 0.000 any 66.49.84.21x 1
> 1 109 0 0 109
> 2009-07-16 15:07:52.320 0.000 any 74.223.173.23x 1
> 1 143 0 0 143
> 2009-07-16 15:05:02.556 0.000 any 75.77.94.19x 1
> 1 171 0 0 171
> 2009-07-16 15:20:56.212 0.000 any 65.23.14.9x 1
> 1 138 0 0 138
> 2009-07-16 15:30:49.128 0.000 any 64.16.128.19x 1
> 1 72 0 0 72
> 2009-07-16 15:31:34.540 0.000 any 68.143.133.24x 1
> 1 153 0 0 153
> 2009-07-16 15:06:12.200 0.000 any 70.46.83.3x 1
> 1 170 0 0 170
> 2009-07-16 15:22:36.644 0.000 any 66.64.194.7x 1
> 1 107 0 0 107
> 2009-07-16 15:24:19.656 0.000 any 209.248.229.14x 1
> 1 70 0 0 70
> 2009-07-16 15:26:17.512 0.000 any 209.248.237.14x 1
> 1 150 0 0 150
> 2009-07-16 15:01:31.888 0.000 any 70.43.238.9x 1
> 1 63 0 0 63
> 2009-07-16 15:31:16.212 0.000 any 216.215.205.14x 1
> 1 71 0 0 71
> 2009-07-16 15:00:27.012 0.000 any 216.199.127.6x 1
> 1 204 0 0 204
> 2009-07-16 15:21:39.596 0.000 any 70.43.230.22x 1
> 1 215 0 0 215
> 2009-07-16 15:27:45.692 0.000 any 158.158.239.x 1
> 1 143 0 0 143
> 2009-07-16 15:27:43.060 0.000 any 66.49.76.3x 1
> 1 121 0 0 121
> 2009-07-16 15:27:08.300 0.000 any 74.223.169.14x 1
> 1 113 0 0 113
> 2009-07-16 15:22:48.660 0.000 any 74.223.76.8x 1
> 1 105 0 0 105
> 2009-07-16 15:05:23.066 0.000 any 216.23.124.x 1
> 1 67 0 0 67
> 2009-07-16 15:31:14.968 0.000 any 216.54.168.4x 1
> 1 197 0 0 197
> 2009-07-16 15:26:35.084 0.000 any 66.49.105.17x 1
> 1 62 0 0 62
> 2009-07-16 15:08:26.120 0.000 any 70.43.71.13x 1
> 1 78 0 0 78
> 2009-07-16 15:17:30.196 0.000 any 216.199.178.19x 1
> 1 153 0 0 153
> 2009-07-16 15:30:22.936 0.000 any 209.248.209.5x 1
> 1 131 0 0 131
> 2009-07-16 15:17:48.528 0.000 any 209.248.236.1x 1
> 1 74 0 0 74
> 2009-07-16 15:23:13.768 0.000 any 64.90.19.5x 1
> 1 133 0 0 133
> 2009-07-16 15:02:44.600 0.000 any 66.148.209.6x 1
> 1 125 0 0 125
> 2009-07-16 15:17:03.856 0.000 any 69.38.102.25x 1
> 1 55 0 0 55
> 2009-07-16 15:32:08.444 0.000 any 69.38.103.15x 1
> 1 118 0 0 118
> 2009-07-16 15:31:51.724 0.000 any 216.215.144.1x 1
> 1 150 0 0 150
> 2009-07-16 15:25:46.628 0.000 any 216.199.0.13x 1
> 1 76 0 0 76
> 2009-07-16 15:15:00.820 0.000 any 72.17.217.19x 1
> 1 134 0 0 134
> 2009-07-16 15:05:24.652 0.000 any 216.105.145.1x 1
> 1 76 0 0 76
> 2009-07-16 15:17:33.572 0.000 any 216.199.232.12x 1
> 1 169 0 0 169
> 2009-07-16 15:13:05.488 0.000 any 69.38.115.6x 1
> 1 74 0 0 74
> 2009-07-16 15:12:30.088 0.000 any 66.148.131.5x 1
> 1 60 0 0 60
> 2009-07-16 15:10:25.324 0.000 any 209.177.232.19x 1
> 1 139 0 0 139
>
> Summary: total flows: 988, total bytes: 124194, total packets: 999, avg
> bps: 450, avg pps: 0, avg bpp: 124
> Time window: 2009-07-16 14:56:28 - 2009-07-16 16:21:37
>
>
More information about the nsp-security
mailing list