funsec mailing list archives
Re: InfoSec Slammer :-)
From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 02 May 2006 23:02:33 -0400
The "presence" of Slammer traffic is absolutely no surprise to me - it is still there as background noise, if nothing else. Was the "surprise factor" simply that the traffic was there, or that it wasn't filtered? Or did it have a local origin? Just for grins, I stuck a logging ACL on our edge to log udp/1434 traffic (most of which is slammer, since my IDS used to get hyperactive about it before I filtered it on ingress). Here is one minute worth of logging before the IOS rate-limiting kicked in and summarized. This is front-ending a /18 block.
May 2 22:50:39 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 58.253.248.2(1033) -> x.y.147.30(1434), 1 packet May 2 22:50:42 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 60.237.219.247(1086) -> x.y.142.221(1434), 1 packet May 2 22:50:43 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.180.10.32(1430) -> x.y.170.66(1434), 1 packet May 2 22:50:44 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 219.146.78.59(3145) -> x.y.151.15(1434), 1 packet May 2 22:50:48 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 58.253.248.2(1033) -> x.y.138.56(1434), 1 packet May 2 22:50:50 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.180.10.32(1430) -> x.y.161.92(1434), 1 packet May 2 22:50:51 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 219.146.78.59(3145) -> x.y.186.30(1434), 1 packet May 2 22:50:52 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.131.147(1434), 1 packet May 2 22:50:53 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 58.253.248.2(1033) -> x.y.132.244(1434), 1 packet May 2 22:50:55 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.137.57(1434), 1 packet May 2 22:50:56 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 58.253.248.2(1033) -> x.y.129.82(1434), 1 packet May 2 22:50:58 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.159.225.19(1449) -> x.y.138.176(1434), 1 packet May 2 22:51:00 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.146.178(1434), 1 packet May 2 22:51:01 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.149.133(1434), 1 packet May 2 22:51:03 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.180.10.32(1430) -> x.y.143.144(1434), 1 packet May 2 22:51:04 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 202.107.219.9(1611) -> x.y.186.173(1434), 1 packet May 2 22:51:05 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.180.10.32(1430) -> x.y.140.238(1434), 1 packet May 2 22:51:06 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.158.254(1434), 1 packet May 2 22:51:07 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.134.60.18(1084) -> x.y.168.187(1434), 1 packet May 2 22:51:09 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.180.10.32(1430) -> x.y.134.170(1434), 1 packet May 2 22:51:11 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.167.119(1434), 1 packet May 2 22:51:12 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 59.42.252.106(1045) -> x.y.191.251(1434), 1 packet May 2 22:51:14 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.173.29(1434), 1 packet May 2 22:51:16 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 210.131.60.201(1072) -> x.y.176.240(1434), 1 packet May 2 22:51:17 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.91.72.66(3315) -> x.y.168.188(1434), 1 packet May 2 22:51:18 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 219.159.68.194(1654) -> x.y.177.213(1434), 1 packet May 2 22:51:20 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 60.190.80.234(3933) -> x.y.131.137(1434), 1 packet May 2 22:51:21 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 222.91.72.66(3315) -> x.y.162.120(1434), 1 packet May 2 22:51:23 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.185.221.169(44063) -> x.y.181.149(1434), 1 packet May 2 22:51:25 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 68.61.38.159(1606) -> x.y.140.28(1434), 1 packet May 2 22:51:28 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 60.177.96.167(1431) -> x.y.180.39(1434), 1 packet May 2 22:51:29 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 66.15.176.131(3299) -> x.y.146.135(1434), 1 packet May 2 22:51:30 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.134.60.18(1084) -> x.y.138.103(1434), 1 packet May 2 22:51:32 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.134.60.18(1084) -> x.y.135.197(1434), 1 packet May 2 22:51:34 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 221.188.216.70(4087) -> x.y.142.152(1434), 1 packet May 2 22:51:36 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 219.159.68.194(1654) -> x.y.156.103(1434), 1 packet May 2 22:51:37 EDT: %SEC-6-IPACCESSLOGP: list sanity-check denied udp 61.134.60.18(1084) -> x.y.129.129(1434), 1 packet May 2 22:51:39 EDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 70 packets
Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Nick FitzGerald (May 02)
- Re: InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Valdis . Kletnieks (May 02)
- Re: InfoSec Slammer :-) Jeff Kell (May 02)
- Re: InfoSec Slammer :-) Nick FitzGerald (May 02)