Educause Security Discussion mailing list archives
Re: Bot DDOS at 10 AM
From: Jim Bollinger <JBollinger () WLU EDU>
Date: Wed, 8 Sep 2004 14:49:42 -0400
Thanks for confirming, we are continuing to analyze here also. Would you share what you find, and we will also? - Thanks, Jim Jim Bollinger Systems and Network Engineer Washington and Lee University Lexington, VA 24450 540-458-8743
dbielawa () LIBERTY EDU 9/8/2004 12:57:18 PM >>>
We observed similar activity on our network at the exact same time. It filled our outbound DS3 connection and after shutting down several ports in the residence halls, the activity level returned to normal. At this time, we haven't had the opportunity to determine what was going on with the blocked machines. David Bielawa Information Services Liberty University -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Bollinger Sent: Wednesday, September 08, 2004 11:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Bot DDOS at 10 AM At 10:00 EDT, we had a small army of bots here begin what appeared to be a DDOS on two Bell Canada addresses (67.71.43.86, 64.229.195.252) The packets were malformed ICMP with length 1052, (type=248, code=246). Filled our DS3 pipe outbound. After we turned off a specific resnet subnet full of machines, the traffic dropped off. I see that there are new IRCbot and Gaobot variants- has anyone else seen this type of traffic? Thanks, Jim Jim Bollinger Systems and Network Engineer Washington and Lee University Lexington, VA 24450 540-458-8743 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Bot DDOS at 10 AM Jim Bollinger (Sep 08)
- <Possible follow-ups>
- Re: Bot DDOS at 10 AM Brian Eckman (Sep 08)
- Re: Bot DDOS at 10 AM Bielawa, David (Sep 08)
- Re: Bot DDOS at 10 AM Jim Bollinger (Sep 08)