[nsp-sec] comcast?
Chris Morrow
morrowc at ops-netman.net
Tue Dec 20 21:11:30 EST 2011
On 12/20/2011 08:13 PM, Wim Biemolt wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> Seems I'm suffering from a> 15Gbps DDoS (UDP/161 traffic).
> According tot our flows it is coming from AS 7922 (comcast).
>
>> proto UDP and port 161
>> Top 2 AS ordered by flows:
>> Date first seen Duration Proto AS Flows(%) Packets(%) Bytes(%) pps bps bpp
>> 2011-12-20 23:39:49.910 1779.610 any 1101 16.1 M(99.9) 1.6 G(99.9) 2.4 T(100.0) 904626 2.1 G 1478
>> 2011-12-20 23:39:54.810 1774.710 any 7922 15.5 M(96.3) 1.6 G(96.2) 2.3 T( 96.7) 874011 1.8 G 1484
>
> Currently we are coping however it would be nice if it could
> be stopped. The target most likely is a spamhaus mirror/server.
guessing this is more snmp reflective dos... and like CPE/modems
bouncing back 'sys.Descr.0' or the like :(
would be interesting to get some idea of WHAT it is from and perhaps see
if Comcast can put a clamp on it for everyone, since this is hitting
more than you (spamhaus and cymru and a few others reported same sorts
of incidents over the last 2-3 months)
More information about the nsp-security
mailing list