Educause Security Discussion mailing list archives
Re: Phatbot
From: "Dr. Tina Bird" <tbird65 () STANFORD EDU>
Date: Fri, 19 Mar 2004 13:54:02 -0800
On Fri, 19 Mar 2004, Doug Pearson wrote:
Has anyone seen hard information on characteristics of the traffic that would be a good marker distinguishing it from other valid traffic in netflow data, e.g. byte counts, etc.
from the early days of the bandwidth testing: 211.177.73.21 - - [07/Mar/2004:04:05:59 -0800] "POST / HTTP/1.0" 200 22378 "-" "-" 211.207.87.99 - - [07/Mar/2004:04:06:00 -0800] "POST / HTTP/1.0" 200 22378 "-" "-" 211.242.60.126 - - [07/Mar/2004:04:06:00 -0800] "POST / HTTP/1.0" 200 22378 "-" "-" 218.154.120.223 - - [07/Mar/2004:04:06:03 -0800] "POST / HTTP/1.0" 200 22378 "-" "-" 211.109.149.199 - - [07/Mar/2004:04:06:03 -0800] "POST / HTTP/1.0" 200 22378 "-" "-" --> stanford's investigation is ongoing, so i'm not free to provide much more information than that. however we are pretty sure that the probes are >ongoing<, not just at initialization -- at least in the dataset we've got we have a high number of repeat visits. some of those may be distinct machines doing DHCP, but prolly not all of them... hope that helps -- tbird ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)