In message <20020131025142.A12260@monet.titania.net>, "Joseph T. Klein" writes:
I define it as random because the traffic rise could be seen coming in from multiple providers and looked to be the same percent from all sources (separate routers with separate interfaces to separate ASNs in separate geographic locations). The traffic was inbound and not backsplash from randomized source addresses.
It looks to me like a infection with someone turning a control knob. Is this common or a precusor of a bad thing?
It's a classic DDoS attack, aimed at you. Someone has lots of zombie machines out there; at some point, they sent a command packet to all of them, saying "bombard such-and-such an IP address for 3600 seconds". Common? It happens frequently to someone. Precursor? Entirely possible, though there's no way to know for sure. But it can be very bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html for what happened to a British ISP. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com