Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I am popular today...

From: viha () CRYPTLINK NET (Ville)
Date: Sat, 29 Apr 2000 14:39:23 +0300

On Fri, 28 Apr 2000, Dirk Koopman wrote:


Are ALL these people _really_ interested in the response time of my class C?
Or is this some kind of of (pointless) DoS? Has one of hidden M$ machines
been acquired by some trojan?



Are you one of these?


None of ours, but the lot of them do seem like quite innocent average
Windows boxen.

Were all of the pings targeted at one IP or do you host a bunch of
virtual domains? If you do, you could _occasionally_ see pings done
by clients using 'efficient downloading' software that check for site
availability.

It could be interesting if you contacted one of those domains and
asked them to query the customer to run  the latest anti-virus s/w.

Is it continuous or only saw it as a one-time happening? It could
also be a really small DDoS network only forming (or spreading, if it
happens to be a trojan) now.

Though, if none of your customers do IRC or anything overly inter-
active, I see no reason they would bother trying to flood your box.

You might also want to dump those raw packets to see if they contain
any known patterns or sequences - some IDS might already have a
signature to match them.


--
        Ville(viha () cryptlink net, 'Cryptlink Networking);
Previous By Date Next
Previous By Thread Next

Current thread: