North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Dos attack?
Thanks Guy I have sent them more detailed info. Eric guy wrote: > > Eric, > You should start with your upstream's security dept. They may have > seen either this incident, a related one, or both. And they more than > likely have resources at other transit providers' security depts. You pay > for their service, you may as well use it, right? > > Guy > > ------------------------------------------------------------------------ > Hi, > > We are getting a LOT of web requests containing what mostly looks like > giberish. > > [Mon Oct 20 21:13:42 2003] [error] [client 172.133.3.204] request > failed: erroneous characters after protocol string: > \xb8\xcf\xc235\x9f\xc4\x1c\xebj\xd7\xc5\x8e\xe9d>\xfdMe\xed\x16\xca\xd51\xcfReF\x82\xa3qi\x89\x832<\vJ5k\x15\xa2\x0c\ > x90\xed\x8bCT\xa3\xa2\x96\xd7\xe8\xa2`S#+W\xfc\xc2\xc2w*\xce\x1a<\xb9\xc3\x91\x14\xb0\x9e\xfe\x14\"7\xaa\xeaR\xd1\x9c > \x13\x1a\xf0\x1aN\x8eklP\xdc\xc1\xe3\xb9w\xb0\x1aGt\x04|I4\xae\x06WC\x15NA\x80\xb1\xc5E~\xd59\x85+\xcc\x9e\xb8\xaf(\r > \x1f\x97 > > But this is not the standard Microsoft worm stuff that I can tell. It is > coming from numerous IP addresses and nearly took down a few of our > servers until we started blocking them with the firewall. So I am trying > to find out as much as I can about what is happening, but I don't really > know where to start. I don't believe it is considered approperiate to > send a list of IPs to this list. So where should I start? The list so > far contains about 60 addresses. > > Thanks, > > Eric
|