100 Worms per Second, Courtesy of Telstra

["Karl A. Krueger" <kkrueger () outbox whoi edu>]

Pardon my delurk, but this is very strange worm behavior.  We are seeing
100 SQL Worms per second from a single IP address on Telstra.  This is
about 10k times the level of activity we are seeing from any other
address.

Anyone here either know anyone at Telstra who can shut this off, or
perhaps at least some explanation of why this worm instance would set
aside its usual randomish behavior and flood us like this?

This is 1/10th of a second of tcpdump, from outside our firewall:

13:34:01.154816 203.50.0.215.2184 > xxx.yyy.46.59.1434:  udp 376
13:34:01.160223 203.50.0.215.2184 > xxx.yyy.99.76.1434:  udp 376
13:34:01.170387 203.50.0.215.2184 > xxx.yyy.205.52.1434:  udp 376
13:34:01.179743 203.50.0.215.2184 > xxx.yyy.55.37.1434:  udp 376
13:34:01.184178 203.50.0.215.2184 > xxx.yyy.108.128.1434:  udp 376
13:34:01.198594 203.50.0.215.2184 > xxx.yyy.11.30.1434:  udp 376
13:34:01.203094 203.50.0.215.2184 > xxx.yyy.64.129.1434:  udp 376
13:34:01.207258 203.50.0.215.2184 > xxx.yyy.117.38.1434:  udp 376
13:34:01.221870 203.50.0.215.2184 > xxx.yyy.20.162.1434:  udp 376
13:34:01.245105 203.50.0.215.2184 > xxx.yyy.29.152.1434:  udp 376
13:34:01.250175 203.50.0.215.2184 > xxx.yyy.82.143.1434:  udp 376

-- 
Karl A. Krueger <kkrueger () whoi edu>
Network Security -- Linux/Unix Systems Support -- Etc.
Woods Hole Oceanographic Institution

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html