Re: Bot DDOS at 10 AM

[Jim Bollinger <JBollinger () WLU EDU>]

Thanks for confirming, we are continuing to analyze here also. Would you
share what you find, and we will also? - Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

> > > dbielawa () LIBERTY EDU 9/8/2004 12:57:18 PM >>>
We observed similar activity on our network at the exact same time.
It
filled our outbound DS3 connection and after shutting down several
ports
in the residence halls, the activity level returned to normal.

At this time, we haven't had the opportunity to determine what was
going
on with the blocked machines.

David Bielawa
Information Services
Liberty University

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Bollinger
Sent: Wednesday, September 08, 2004 11:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Bot DDOS at 10 AM

At 10:00 EDT, we had a small army of bots here begin what appeared to
be
a DDOS on two Bell Canada addresses (67.71.43.86, 64.229.195.252)

The packets were malformed ICMP with length 1052, (type=248,
code=246).
Filled our DS3 pipe outbound.

After we turned off a specific resnet subnet full of machines, the
traffic dropped off.

I see that there are new IRCbot and Gaobot variants- has anyone else
seen this type of traffic?

Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.