[nsp-sec] HTTP attackers, sources and some targets.
Scott A. McIntyre
scott at xs4all.net
Wed Aug 4 11:19:24 EDT 2010
Hi Donald,
On 04/08/10 17:11 , Smith, Donald wrote:
> Scott can I assume this is in the form.
> asn | attacking IP|victim ip date time stamp | full name
>
> Assuming that is correct what does 0.0.0.0 mean in the field that I believe is the victim ip?
>
>
Sorry - should have spelled that one out. Standard nomenclature, as in
0.0.0.0/0, aka, "everything" -- the mitigation system either blocked
based upon a specific /32 (listed) as the destination or "any
destination within the filtered network."
The destination IP for the attack should have been the 213.214.114.30
node for all traffic on your end.
I suspect that the folks doing the filtering were experimenting with a
few ways to mitigate this and multiple IPs within their infrastructure
was just one of the techniques.
At any rate, the flows you should seek out were for any of the attack
targets I mentioned, destination port 80, protocol tcp.
Cheers,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list