Educause Security Discussion mailing list archives

Re: Bot DDOS at 10 AM

From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 8 Sep 2004 11:51:32 -0500

Jim Bollinger wrote:

At 10:00 EDT, we had a small army of bots here begin what appeared to be
a DDOS on two Bell Canada addresses (67.71.43.86, 64.229.195.252)

The packets were malformed ICMP with length 1052, (type=248, code=246).
Filled our DS3 pipe outbound.

After we turned off a specific resnet subnet full of machines, the
traffic dropped off.

I see that there are new IRCbot and Gaobot variants- has anyone else
seen this type of traffic?


Nope, our outbound DDoS attacks so far have been SYN floods.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Bot DDOS at 10 AM Jim Bollinger (Sep 08)
- <Possible follow-ups>
- Re: Bot DDOS at 10 AM Brian Eckman (Sep 08)
- Re: Bot DDOS at 10 AM Bielawa, David (Sep 08)
- Re: Bot DDOS at 10 AM Jim Bollinger (Sep 08)