[nsp-sec] Flood Towards 109.104.84.2

Rob Shakir rjs at eng.gxn.net
Sun Jan 10 08:51:53 EST 2010 

Hi NSP-Sec,

We've seen a few bursts of packets towards a downstream customer since earlier this morning.

The target IP is  109.104.84.2 (AS20738) via AS5413.

It looks to be >1Gbps, but since we're seeing it coming only via a single upstream (AS1299), I can't be certain of the exact rate. The traffic is a bunch of ICMP followed by seemingly random sized packets headed for UDP/80 on the target system, from random source ports (although on a per-visit basis, each source seems to numerically increase the port number).

I'm not entirely sure whether this traffic is spoofed, it's from relatively few ASes (all seemingly related to China), but the source IPs look a little less sequential than other attacks of this nature that we've seen in the past.

If anyone has any flows towards  109.104.84.2, or information relating to any of the hosts in the attached - further information, and/or cleanup would be great!


Format is as per:
	ASN   | IP             | First Flow Seen             | AS Name

Many thanks & enjoy the rest of your weekend!

Kind regards,
Rob


-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: as5413-downstream-as20738-flood.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100110/a0aad99a/attachment-0001.txt>
-------------- next part --------------

More information about the nsp-security mailing list