Investigation is still ongoing, but from what they can tell, majority of the attempted connections have been going over TCP port 22. -jack -----Original Message----- From: Josh Duffek [mailto:consultantjd16@ridemetro.org] Sent: Friday, October 01, 2004 11:05 AM To: Jack Vizelter; nanog@merit.edu Subject: RE: Internet Connectivity Did you run a sniffer to get an idea of what all the traffic is? Curious what, if any, port(s) are being flooded. J -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jack Vizelter Sent: Friday, October 01, 2004 9:56 AM To: nanog@merit.edu Subject: Internet Connectivity We had several machines start spewing huge amounts of data causing our pipe to the public Internet to stop. We had no traffic coming in or out of the campus. We're unsure of whether it's virus related, but wanted to inquire if anyone else has heard of or came across something similar. It appears to be an DDOS attack, but, originating from the inside. This started last night at about 10pm EST. Thanks, -jack
ahh then you have one of the new wormy things that scans aggressively for easy accounts on ssh. find src host and disinfect. Steve On Fri, 1 Oct 2004, Jack Vizelter wrote:
Investigation is still ongoing, but from what they can tell, majority of the attempted connections have been going over TCP port 22.
-jack
-----Original Message----- From: Josh Duffek [mailto:consultantjd16@ridemetro.org] Sent: Friday, October 01, 2004 11:05 AM To: Jack Vizelter; nanog@merit.edu Subject: RE: Internet Connectivity
Did you run a sniffer to get an idea of what all the traffic is? Curious what, if any, port(s) are being flooded.
J
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jack Vizelter Sent: Friday, October 01, 2004 9:56 AM To: nanog@merit.edu Subject: Internet Connectivity
We had several machines start spewing huge amounts of data causing our pipe to the public Internet to stop. We had no traffic coming in or out of the campus. We're unsure of whether it's virus related, but wanted to inquire if anyone else has heard of or came across something similar. It appears to be an DDOS attack, but, originating from the inside. This started last night at about 10pm EST.
Thanks, -jack
Investigation is still ongoing, but from what they can tell, majority of the attempted connections have been going over TCP port 22.
-jack
Agressive SSH scans have been well reported on the internet in the last month or so. James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa jamesh@cybermesa.com noc@cybermesa.com http://www.cybermesa.com/ContactCM (505) 795-7101
participants (3)
-
Jack Vizelter
-
james edwards
-
Stephen J. Wilcox