Re: strange attacks - flood udp packets from 1030 to msql

From: Eric Nelson (en@megahosted.com)
Date: 01/26/03

Next message: Danny: "RE: New spam-probing wave?"

Previous message: Víctor: "Re: strange attacks - flood udp packets from 1030 to msql"
In reply to: Uwe Dippel: "strange attacks - flood udp packets from 1030 to msql"
Next in thread: Dan Perez: "RE: strange attacks - flood udp packets from 1030 to msql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 25 Jan 2003 15:01:10 -0800
From: Eric Nelson <en@megahosted.com>
To: Uwe Dippel <udippel@yahoo.com>

On Sat, Jan 25, 2003 at 03:51:59AM -0800, Uwe Dippel wrote:
> The subject says it.
> Strange behaviour and no clue here why.
> A server floods random (??) IP-addresses with udp-packets from iad1 to
> 1434 (msql), overflowing the external router,yadayadayada. DoS, in
> short.
> Anyone seen this before ??
>
> Uwe
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

Yes, our colocation facility was severely crippled by this worm from
about 8pm Friday, the 24th until about 2pm today (PST).

You can see here on the mrtg graphs the extent of the congestion it
caused.

http://oak-mrtg.inreach.com/oak/colo/005/209.209.25.185.4.html

I could login to my machines there, but I couldn't run any commands
whatsoever from them. A simple ps -fe would hang the session.

-- 
Eric Nelson	<en@megahosted.com>	GPG-key: C4AB5707
http://www.megahosted.com/~en/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Danny: "RE: New spam-probing wave?"
Previous message: Víctor: "Re: strange attacks - flood udp packets from 1030 to msql"
In reply to: Uwe Dippel: "strange attacks - flood udp packets from 1030 to msql"
Next in thread: Dan Perez: "RE: strange attacks - flood udp packets from 1030 to msql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Malicious web sites
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: [incident] IIS defacement through FTP, possible DoS
... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: Distributed ICMP/UDP scan or attack?
... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
(Incidents)
RE: Can anyone identify this backdoor?
... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
(Incidents)
RE: Code Red Scan
... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)