[Outages-discussion] What Dyn IPs to look for in netflow?

Darren Schreiber dschreiber at 2600hz.com
Mon Oct 24 17:06:52 EDT 2016


Is this actually what caused the outage in full?

Which would mean, seriously, default passwords are still the highest priority risk? *sigh* How are manufacturers still allowed to ship things with ‘admin admin’ as the password?

*grumbles*


From: Outages-discussion <outages-discussion-bounces at outages.org> on behalf of Damian Menscher <damian at google.com>
Date: Monday, October 24, 2016 at 1:39 PM
To: Charles Sprickman <spork at bway.net>
Cc: "outages-discussion at outages.org" <outages-discussion at outages.org>
Subject: Re: [Outages-discussion] What Dyn IPs to look for in netflow?

You can identify your infected users by looking for outbound scanning on port 23/tcp.  (The Dyn attack was from an IoT botnet which spreads via telnet default passwords.)

Damian

On Sat, Oct 22, 2016 at 6:48 PM, Charles Sprickman <spork at bway.net<mailto:spork at bway.net>> wrote:
I wanted to poke through our netflow data from Friday to see if any customers were involved.  Do we have any idea which Dyn IPs were being hit in the east coast attack?

I’ve been poking around with sorting by packet count to UDP 53, but I’m not even sure this was an application level or volumetric attack.   Nothing is standing out (yet)…

Thanks,

Charles
--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net<http://www.bway.net>
spork at bway.net<mailto:spork at bway.net> - 212.982.9800<tel:212.982.9800>



_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org<mailto:Outages-discussion at outages.org>
https://puck.nether.net/mailman/listinfo/outages-discussion

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20161024/cc8c2691/attachment.html>


More information about the Outages-discussion mailing list