We've seen similar instances of these types of things usually precipitated by a customer angering someone on IRC that they shouldn't have. Its just a targeted DDoS either by someone who has owned a large number of boxen on your network, or by someone who doesn't like people who owned a large number of boxen on your network. -Drew -----Original Message----- From: Anderson, Ian [mailto:i.anderson@lancaster.ac.uk] Sent: Wednesday, December 31, 2003 12:31 PM To: nanog@merit.edu Subject: High volumes of UDP traffic A heads-up Since yesterday afternoon we saw a large increase in offsite traffic circa 80,000pps directed at host deals.in.crackcocaine.us 17:02:52.527762 148.88.156.86.2571 > 69.50.162.82.7854: udp 1 17:02:52.527876 148.88.156.86.2571 > 69.50.162.82.3002: udp 1 17:02:52.527877 148.88.156.86.2571 > 69.50.162.82.37525: udp 1 17:02:52.527996 148.88.156.86.2571 > 69.50.162.82.6170: udp 1 17:02:52.527997 148.88.156.86.2571 > 69.50.162.82.39709: udp 1 17:02:52.528113 148.88.156.86.2571 > 69.50.162.82.9818: udp 1 17:02:52.528114 148.88.156.86.2571 > 69.50.162.82.57395: udp 1 17:02:52.528115 148.88.156.86.2571 > 69.50.162.82.18194: udp 1 17:02:52.528230 148.88.156.86.2571 > 69.50.162.82.55981: udp 1 17:02:52.528231 148.88.156.86.2571 > 69.50.162.82.42256: udp 1 17:02:52.528350 148.88.156.86.2571 > 69.50.162.82.41441: udp 1 These seem to be from various windows boxen on our network, due to our campus being locked down we've not been able to examine closely the machines and find out exactly what's going on, we've just disconnected them as an interim measure. Anyone else seen similar strangeness? Is it coincidence or is it another l33t haxor trying the old "no one's working on new years eve"?? Anyway a happy new year to all - I'm off to enjoy the party... Ian -- Ian Anderson Network Support Lancaster University, Lancaster, LA1 4YW t: 01524 593019 ~ ip: 01524 510101 ~ f: 01524 844011 i.anderson@lancs.ac.uk
participants (1)
-
Drew Weaver