Re: distributed attack, high or not
I define it as random because the traffic rise could be seen coming in from multiple providers and looked to be the same percent from all sources (separate routers with separate interfaces to separate ASNs in separate geographic locations). The traffic was inbound and not backsplash from randomized source addresses. It looks to me like a infection with someone turning a control knob. Is this common or a precusor of a bad thing? The anomaly was exactly one hour long. First I have seen of something like this in a relativly short time of gathering stats ... which I'm doing for another project. --On Thursday, 31 January 2002 02:09 +0000 Avleen Vig <lists-nanog@silverwraith.com> wrote:
On Thu, 31 Jan 2002, Joseph T. Klein wrote:
I saw what appears to be a distributed attack against a single IP address that reached nearly 500Mbs. I was thinking that this is high. Are people seeing any random attacks of this magnitude?
Please define random :) If you mean the source is random, then yes this attack is of a high magnitude and I've seen one other this bad. The addresses could be real, or spoofed - depending on the circumstance and exact nature of the attack it'll vary.
If you mean the target appears to be random, then you're probably just very very unlucky :( Attacks of this size are normally aimed at large IRC servers or large / popular websites.
-- Avleen Vig Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf -- Joseph T. Klein jtk@titania.net
participants (1)
-
Joseph T. Klein