Note, further analysis makes me believe that the ICMP we saw immediately beforehand was a coincidence and unrelated. The origin of the ICMP has been traced to a customer application. -jr * Josh Richards <jrichard@cubicle.net> [20030125 00:21]:
A preliminary look at some of our NetFlow data shows a suspect ICMP payload delivered to one of our downstream colo customer boxes followed by a 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random destinations on 1434/udp. This customer typically does about 0.250 Mbit/s so this was a bit out of their profile. :-) Needless to say, we shut them down per a suspected security incident. The ICMP came from 66.214.194.31 though that could quite easily be forged or just another compromised box. We're seeing red to many networks all over the world though our network seems to have quieted down a bit. Sounds like a DDoS in the works.
Anyone else able to corroborate/compare notes?
---- Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }> Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek