Security Incidents mailing list archives
Re: 1000% increase in traffic
From: Anders Thulin <Anders.X.Thulin () TELIA SE>
Date: Mon, 26 Feb 2001 12:14:47 +0100
Bob Wright wrote:
Hello guys, thank you for reading this email.. I beleave i might have an exploited box on my hands, At my place of employment we usally range about 728b/s as our average for output (128k Connection) Now starting at friday at 12am to sat 12pm (about) MRTG (traffic analyser) showed us averaging about 7744b/s !! on a weekend at that late of night. And all out to boot.
If you have an exploited box, all that traffic should have the box IP address as src or dst IP (or have src addresses not on your net, in case of spoofed attacks). Grab hold of a sniffer, and check what is actually going on over the net. It seems predictable enough for you to be sure you can grab a number of packets.
This worries me because of our data (of coarse) or that we might have a possible client >on one of the many machines for a DDOS.
I've seen somewhat similar traffic behaviour with a customer network: usually very little traffic over a 128 kb net, but one evening from 20.00 to midnight it was flooded flat out --and then it went back to normal levels. We thought it might have been a very hard scanning or DoS attack after a successful intrusion, so we called the customer to warn them. When we did, we learned that we had witnessed a Quake tournament between the local office and a branch office ... -- Anders Thulin Anders.X.Thulin () telia se 040-10 50 63 Telia ProSoft AB, Box 85, SE-201 20 Malmö, Sweden
Current thread:
- 1000% increase in traffic Bob Wright (Feb 10)
- Re: 1000% increase in traffic Jason Storm (Feb 10)
- Re: 1000% increase in traffic Derek Kwan (Feb 10)
- Re: 1000% increase in traffic Bryan Andersen (Feb 10)
- Re: 1000% increase in traffic Valdis Kletnieks (Feb 10)
- Re: 1000% increase in traffic John Kristoff (Feb 10)
- Re: 1000% increase in traffic Anders Thulin (Feb 26)