[nsp-sec] Ping University of Pennsylvania
Smith, Donald
Donald.Smith at qwest.com
Tue May 11 12:18:21 EDT 2010
I did a quick netflow report for an IP that Krista reported to me and the traffic appeared to be spoofed.
As the attack traffic was coming in a different interface then the web traffic for the ip she reported to me.
The attack traffic was ALL 15000 byte icmp echo request and replies.
I recall that is a classic type attack but forgot which tool/bot used that method (storm maybe?)
Sharing: you may share the traffic details but anonymize.
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Gabriel Iovino
> Sent: Monday, May 10, 2010 1:53 PM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Ping University of Pennsylvania
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 5/10/2010 3:38 PM, Krista Hickey wrote:
> > ----------- nsp-security Confidential --------
> >
> > If there's anyone from University of Pennsylvania around (or anyone
> > who can proxy something off to folks there) I'd appreciate it if you
> > could eyeball 128.91.108.33 as we've been seeing that IP hitting one
> > of our interfaces with ICMP traffic since last night approx
> 18:44 EST
> > (-0500),
> >
> >
> > There were a few sources to the apparent attack and all but
> > University of Pennsylvania have ceased as of today so our network
> > guys asked if I could poke someone.
>
> I can proxy+(sanitize) this along to some trusted contacts, I'll
> follow-up with you when/if I hear something back.
>
> Thanks
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvoZDQACgkQwqygxIz+pTuCZQCghPf4n3JmYB+z9q24iedVtTE3
> AlQAoKIjdghIMWuwX7rYgBIih/+1IcHz
> =QHnl
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list