We are also seeing this traffic at AS4436. Appears to be coming from IP addresses all over the space. Here's a box that traps all of 165.227.0.0/16: 23:08:13.257197 165.194.123.131.1227 > 165.227.92.176.1434: udp 376 23:08:13.259778 129.187.150.78.2667 > 165.227.84.186.1434: udp 376 23:08:13.276695 61.40.143.242.3794 > 165.227.21.48.1434: udp 376 23:08:13.284191 128.218.133.213.1078 > 165.227.198.96.1434: udp 376 23:08:13.286648 169.229.141.44.1065 > 165.227.255.90.1434: udp 376 23:08:13.294512 218.232.109.22.3302 > 165.227.146.129.1434: udp 376 23:08:13.300412 137.79.10.100.2478 > 165.227.5.230.1434: udp 376 23:08:13.302869 128.143.100.86.1397 > 165.227.41.248.1434: udp 376 23:08:13.317327 203.226.64.220.3081 > 165.227.216.188.1434: udp 376 23:08:13.319908 209.41.170.8.4033 > 165.227.252.85.1434: udp 376 23:08:13.322365 64.71.177.201.2439 > 165.227.128.21.1434: udp 376 23:08:13.327937 216.120.60.154.3005 > 165.227.125.156.1434: udp 376 23:08:13.330435 64.239.145.3.3231 > 165.227.4.161.1434: udp 376 23:08:13.333016 204.228.229.106.4049 > 165.227.238.69.1434: udp 376 23:08:13.335350 212.209.231.186.52703 > 165.227.38.136.1434: udp 376 23:08:13.337930 207.46.200.162.2343 > 165.227.96.170.1434: udp 376 23:08:13.340388 61.178.83.30.4525 > 165.227.77.119.1434: udp 376 23:08:13.342887 62.250.16.28.1385 > 165.227.119.91.1434: udp 376 23:08:13.345468 66.155.116.10.1041 > 165.227.106.35.1434: udp 376 23:08:13.362506 207.226.255.124.2331 > 165.227.189.42.1434: udp 376 23:08:13.364964 63.241.139.196.1150 > 165.227.135.221.1434: udp 376 23:08:13.367422 66.109.239.200.1117 > 165.227.67.250.1434: udp 376 23:08:13.370042 194.100.187.36.2342 > 165.227.103.27.1434: udp 376 23:08:13.372501 158.38.141.86.3269 > 165.227.239.113.1434: udp 376 23:08:13.374959 212.71.66.23.2019 > 165.227.232.118.1434: udp 376 23:08:13.377417 158.38.141.65.1382 > 165.227.169.58.1434: udp 376 23:08:13.379915 130.127.8.157.2980 > 165.227.107.122.1434: udp 376 23:08:13.382496 207.46.200.146.2718 > 165.227.49.107.1434: udp 376 23:08:13.386100 80.237.200.171.1198 > 165.227.93.216.1434: udp 376 23:08:13.388557 64.71.180.135.1915 > 165.227.38.41.1434: udp 376 23:08:13.394660 211.117.60.188.2806 > 165.227.49.12.1434: udp 376
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Scott Granados Sent: Friday, January 24, 2003 10:41 PM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
We just had a box inside one of my customers networks start sending tons of small packets not sure what kind yet.
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/s> witch9.oct.nac.net-3865.
html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
On Sat, 25 Jan 2003, hc wrote:
Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks!
-hc
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --