I don't have more specific information yet, however, just wanted to poll the crowd. Is anyone seeing any recent Denial of Service / Probes affecting NAT devices started in the last couple days / weeks? Starting Tuesday night, we started getting complaints from customers in a specific net block of our network, all of whom were running small "personal" firewalls (Netgear, linksys etc) about: 1. able to send, but not get email 2. able to browse 1% of web pages 3. able to ping / traceroute just fine. pages would load a tiny bit then stall. when they step out from behind the firewall, even using the same IP address the firewall used, they are fine, IE all services. Of the probably 150 customers in that netblock, only 8 of them called with these symptoms, the rest are working fine. I'll have sniffer logs later today, but just wanted to see if anyone else had run into this recently. Feel free to reply offline. -donn
Starting Tuesday night, we started getting complaints from customers in a specific net block of our network, all of whom were running small "personal" firewalls (Netgear, linksys etc) about:
Someone on that network is scanning/flooding it hard... probably from a hacked box spoofing IP's. Last one I had was a linux boxen with a 'udp.pl' running from a pseudo-root account. As it was not actually making connections, many of the traffic/monitoring tools had a hard time identifying it. We found it using ntop (ntop.org) and the packet stats on the ethernet switches.
participants (2)
-
Donn Lasher
-
mike harrison