funsec mailing list archives

Re: InfoSec Slammer :-)

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 02 May 2006 23:02:33 -0400

The "presence" of Slammer traffic is absolutely no surprise to me - it
is still there as background noise, if nothing else.  Was the "surprise
factor" simply that the traffic was there, or that it wasn't filtered? 
Or did it have a local origin?

Just for grins, I stuck a logging ACL on our edge to log udp/1434
traffic (most of which is slammer, since my IDS used to get hyperactive
about it before I filtered it on ingress).  Here is one minute worth of
logging before the IOS rate-limiting kicked in and summarized.  This is
front-ending a /18 block.

May  2 22:50:39 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
58.253.248.2(1033) -> x.y.147.30(1434), 1 packet
May  2 22:50:42 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
60.237.219.247(1086) -> x.y.142.221(1434), 1 packet
May  2 22:50:43 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.180.10.32(1430) -> x.y.170.66(1434), 1 packet
May  2 22:50:44 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
219.146.78.59(3145) -> x.y.151.15(1434), 1 packet
May  2 22:50:48 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
58.253.248.2(1033) -> x.y.138.56(1434), 1 packet
May  2 22:50:50 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.180.10.32(1430) -> x.y.161.92(1434), 1 packet
May  2 22:50:51 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
219.146.78.59(3145) -> x.y.186.30(1434), 1 packet
May  2 22:50:52 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.131.147(1434), 1 packet
May  2 22:50:53 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
58.253.248.2(1033) -> x.y.132.244(1434), 1 packet
May  2 22:50:55 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.137.57(1434), 1 packet
May  2 22:50:56 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
58.253.248.2(1033) -> x.y.129.82(1434), 1 packet
May  2 22:50:58 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.159.225.19(1449) -> x.y.138.176(1434), 1 packet
May  2 22:51:00 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.146.178(1434), 1 packet
May  2 22:51:01 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.149.133(1434), 1 packet
May  2 22:51:03 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.180.10.32(1430) -> x.y.143.144(1434), 1 packet
May  2 22:51:04 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
202.107.219.9(1611) -> x.y.186.173(1434), 1 packet
May  2 22:51:05 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.180.10.32(1430) -> x.y.140.238(1434), 1 packet
May  2 22:51:06 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.158.254(1434), 1 packet
May  2 22:51:07 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.134.60.18(1084) -> x.y.168.187(1434), 1 packet
May  2 22:51:09 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.180.10.32(1430) -> x.y.134.170(1434), 1 packet
May  2 22:51:11 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.167.119(1434), 1 packet
May  2 22:51:12 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
59.42.252.106(1045) -> x.y.191.251(1434), 1 packet
May  2 22:51:14 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.173.29(1434), 1 packet
May  2 22:51:16 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
210.131.60.201(1072) -> x.y.176.240(1434), 1 packet
May  2 22:51:17 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.91.72.66(3315) -> x.y.168.188(1434), 1 packet
May  2 22:51:18 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
219.159.68.194(1654) -> x.y.177.213(1434), 1 packet
May  2 22:51:20 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
60.190.80.234(3933) -> x.y.131.137(1434), 1 packet
May  2 22:51:21 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
222.91.72.66(3315) -> x.y.162.120(1434), 1 packet
May  2 22:51:23 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.185.221.169(44063) -> x.y.181.149(1434), 1 packet
May  2 22:51:25 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
68.61.38.159(1606) -> x.y.140.28(1434), 1 packet
May  2 22:51:28 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
60.177.96.167(1431) -> x.y.180.39(1434), 1 packet
May  2 22:51:29 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
66.15.176.131(3299) -> x.y.146.135(1434), 1 packet
May  2 22:51:30 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.134.60.18(1084) -> x.y.138.103(1434), 1 packet
May  2 22:51:32 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.134.60.18(1084) -> x.y.135.197(1434), 1 packet
May  2 22:51:34 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
221.188.216.70(4087) -> x.y.142.152(1434), 1 packet
May  2 22:51:36 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
219.159.68.194(1654) -> x.y.156.103(1434), 1 packet
May  2 22:51:37 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp
61.134.60.18(1084) -> x.y.129.129(1434), 1 packet
May  2 22:51:39 EDT: %SEC-6-IPACCESSLOGRL: access-list logging
rate-limited or missed 70 packets

Jeff

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Nick FitzGerald (May 02)
  - Re: InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Valdis . Kletnieks (May 02)
  - Re: InfoSec Slammer :-) Jeff Kell (May 02)