Educause Security Discussion mailing list archives

Bot DDOS at 10 AM

From: Jim Bollinger <JBollinger () WLU EDU>
Date: Wed, 8 Sep 2004 11:57:12 -0400

At 10:00 EDT, we had a small army of bots here begin what appeared to be
a DDOS on two Bell Canada addresses (67.71.43.86, 64.229.195.252)

The packets were malformed ICMP with length 1052, (type=248, code=246).
Filled our DS3 pipe outbound.

After we turned off a specific resnet subnet full of machines, the
traffic dropped off.

I see that there are new IRCbot and Gaobot variants- has anyone else
seen this type of traffic?

Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Bot DDOS at 10 AM Jim Bollinger (Sep 08)
- <Possible follow-ups>
- Re: Bot DDOS at 10 AM Brian Eckman (Sep 08)
- Re: Bot DDOS at 10 AM Bielawa, David (Sep 08)
- Re: Bot DDOS at 10 AM Jim Bollinger (Sep 08)