UDP packets from Apache ? New DDOS ?

• Previous message: Angus Marshall: "e-crime and computer evidence Call for Papers"
• Next in thread: Bojan Zdrnja: "RE: UDP packets from Apache ? New DDOS ?"
• Reply: Bojan Zdrnja: "RE: UDP packets from Apache ? New DDOS ?"
• Maybe reply: Strand, John: "RE: UDP packets from Apache ? New DDOS ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Wed, 7 Jul 2004 13:51:02 -0400

Hi All,

Some months ago, we notices a large amount of outbound traffic. Shutting
down our Apache webserver, stopped it. After a restart, it never reoccurred,
I assumed some glitch that was corrected by the restart. We did NOT have the
SSL bug
This morning, a system admin in Austria, informed me that his box was
streaming UDP packets at us. This coincided with a major DDOS attack against
us. Shutting down his Apache resolved the issue, and he is now temporarily
blocking UDP from that host. He has provided a TCPdump to me, a portion of
which follows. Can anyone shed some light, on what might be the cause, has
it been seen before?

07:40:52.116687 IP 192.168.1.106.49043 > 209.123.78.248.50567: UDP, =
length: 1000
0x0000: 4500 0404 0000 4000 4011 5463 c0a8 016a =
E.....@.@.Tc...j 0x0010: d17b 4ef8 bf93 c587 03f0 2703 4242 4242 =
.{N.......'.BBBB
0x0020: 4242 4242 4242 4242 4242 4242 4242 4242 =
BBBBBBBBBBBBBBBB
0x0030: 4242 4242 4242 BBBBBB

Dave Foster
Systems Administrator, Canadian Net
1-800-427-8564
+1 416 245-1374
 UK 0870 3400558
 FAX +1 416 241-5274

• Previous message: Angus Marshall: "e-crime and computer evidence Call for Papers"
• Next in thread: Bojan Zdrnja: "RE: UDP packets from Apache ? New DDOS ?"
• Reply: Bojan Zdrnja: "RE: UDP packets from Apache ? New DDOS ?"
• Maybe reply: Strand, John: "RE: UDP packets from Apache ? New DDOS ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]