On Thu, 25 Jul 2002 20:30:38 -0700 (PDT) "senthil ayyasamy" <mplsgeek@yahoo.com> wrote:
Our border ACLs are catching about three thousand UDP/2100 hits every minute tonight. Is anyone else seeing this? It seems as if ELF/Scalper-A (the Apache/FreeBSD worm) is spreading.
http://www.dshield.org/port_report.php?port=2100 Their is no major activity across 2100.
Since the 2100 traffic would be a targeted DDOS attack, it will not show up globally. Also, didn't Scalper use a commodity DDOS engine? So the 2100 traffic you see is not necessarily from Scalper but could be from something else that uses the same ddos engine.
But activity in more across 17300. (http://www.dshield.org/port_report.php?port=17300) what might be the reason?
yeah. if anybody has packet captures. Probably not appropriate for the Nanog list. But just send them to me. -- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org