|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New worm / port 1434?
On Sat, 25 Jan 2003, Eric Gauthier wrote: > > Ok, > > I'm not sure if this helps at all. Our campus has two primary connections - > the main Internet and something called Internet2. Internet2 has a routing > table of order 10,000 routes and includes most top-tier research instituations > in the US (and a few other places). By 1am this morning (Eastern US time), > all of our Internet links saturated outbound but we didn't appear to see any > noticable increase in our Internet2 bandwidth. I'm throwing this out there > because it may indicate that the destinations for the traffic - though large - > aren't completely random. > > Has anyone else seen this? Sources from our customers are in pockets so not a good spread of source but the destination is -very- random.. I'm not seeing that many packets duplicating the same destination Now having said that there is some algorith at work perhaps the same one that was used in the Codered worm There is many more hits to the same /16 and same /8 as source with a general spread over the rest of the IP space There appears to be significantly more over 128/1 than 0/1 which is odd altho certain /8s appear to be popular (32, 81, 53, 35, 38) Steve > > Eric :) > > PS: Yep - we're a university and we're a source - big surprise there... I > just filtered out our 200Mbps contribution to this problem in case you're > curious... >
|