North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New worm / port 1434?
Note, further analysis makes me believe that the ICMP we saw immediately beforehand was a coincidence and unrelated. The origin of the ICMP has been traced to a customer application. -jr * Josh Richards <[email protected]> [20030125 00:21]: > > A preliminary look at some of our NetFlow data shows a suspect ICMP payload > delivered to one of our downstream colo customer boxes followed by a > 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random > destinations on 1434/udp. This customer typically does about 0.250 Mbit/s > so this was a bit out of their profile. :-) Needless to say, we shut them > down per a suspected security incident. The ICMP came from 66.214.194.31 > though that could quite easily be forged or just another compromised box. > We're seeing red to many networks all over the world though our network seems > to have quieted down a bit. Sounds like a DDoS in the works. > > Anyone else able to corroborate/compare notes? ---- Josh Richards <[email protected]{ geekresearch.com, cubicle.net, digitalwest.net }> Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
|