Educause Security Discussion mailing list archives

Re: Phatbot

From: "Dr. Tina Bird" <tbird65 () STANFORD EDU>
Date: Fri, 19 Mar 2004 13:54:02 -0800

On Fri, 19 Mar 2004, Doug Pearson wrote:

Has anyone seen hard information on characteristics of the traffic that would be a good marker distinguishing it from 
other valid traffic in netflow data, e.g. byte counts, etc.


from the early days of the bandwidth testing:

211.177.73.21 - - [07/Mar/2004:04:05:59 -0800] "POST / HTTP/1.0" 200 22378
"-" "-"
211.207.87.99 - - [07/Mar/2004:04:06:00 -0800] "POST / HTTP/1.0" 200 22378
"-" "-"
211.242.60.126 - - [07/Mar/2004:04:06:00 -0800] "POST / HTTP/1.0" 200
22378 "-" "-"
218.154.120.223 - - [07/Mar/2004:04:06:03 -0800] "POST / HTTP/1.0" 200
22378 "-" "-"
211.109.149.199 - - [07/Mar/2004:04:06:03 -0800] "POST / HTTP/1.0" 200
22378 "-" "-"

--> stanford's investigation is ongoing, so i'm not free to provide much
more information than that.  however we are pretty sure that the probes
are >ongoing<, not just at initialization -- at least in the dataset we've
got we have a high number of repeat visits.  some of those may be distinct
machines doing DHCP, but prolly not all of them...

hope that helps -- tbird

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)