RE: Has Anyone seen this?

From: Stewart John H SSSD (StewartJH@SUPSHIP.NAVY.MIL)
Date: 11/23/01 

Message-ID: <76B92C2FC548D311A2DA0008C791893403551384@sssdexch.sssd.navy.mil>
From: Stewart John H SSSD <StewartJH@SUPSHIP.NAVY.MIL>
To: "'Roberto Moncayo'" <rmoncayo@disitem.com.mx>, Seth Keller <kellers@culver.k12.in.us>
Subject: RE: Has Anyone seen this?
Date: Fri, 23 Nov 2001 10:37:35 -0800

They are streaming media sites serving up mostly audio files.

John Stewart
Information Systems Security Manager
(619) 556-2774
(619) 726-1580 (Cell/Pager)

-----Original Message-----
From: Roberto Moncayo [mailto:rmoncayo@disitem.com.mx]
Sent: Thursday, November 22, 2001 4:33 PM
To: Seth Keller
Cc: security-basics@securityfocus.com
Subject: Re: Has Anyone seen this?

At the first, try using a Access List in your border router..... here is
some information about the IP

iBEAM Broadcasting Corporation (NETBLK-IBEAM)
        645 Almanor Ave, Suite 100
        Sunnyvale, CA 94086
        US

        Netname: IBEAM
        Netblock: 216.106.160.0 - 216.106.175.255
        Maintainer: BEAM

        Coordinator:
           Newton, Mike (MN179-ARIN) mnewton@ibeam.com
           408/523-1646

        Domain System inverse mapping provided by:

        NS1.IBEAM.COM 216.35.151.103
        NS2.IBEAM.COM 204.247.99.125

        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

        Record last updated on 02-May-2001.
        Database last updated on 21-Nov-2001 19:54:03 EDT.

Good look

----- Original Message -----
From: "Seth Keller" <kellers@culver.k12.in.us>
Sent: Wednesday, November 21, 2001 2:39 PM
Subject: Has Anyone seen this?

> I don't think my first post made it through, so here goes again. Our web
server has been completely bombarded for about four hours now by a specific
range of IP addresses. Our T1 line has been at 100% capacity during this
ordeal. We are receiving around 250 packets per second from a range of IPs
that I cannot completely trace.
>
> The range is 216.106.166.141 through 216.106.166.141. All packets appear
to be legit http requests for port 80. The requests cycle through from one
IP after the next and then the cycle starts over. I have tried using
http://www.network-tools.com to trace the numbers to no avail. I can only
get within the last five nodes before the trace times out.
>
> Does anyone have any ideas what this may be? I'm thinking maybe a new
worm or a DOS but I'm not sure yet. Thanks in advance.
>
> Seth Keller
> Culver Community Schools
> A+/N+/CIW
> Intel Certified Integration Specialist 2000/2001
>
>

Relevant Pages

  • Re: Has Anyone seen this?
    ... We are receiving around 250 packets per second from a range of IPs ... to be legit http requests for port 80. ... The requests cycle through from one ... http://www.network-tools.com to trace the numbers to no avail. ...
    (Security-Basics)
  • Re: Has Anyone seen this?
    ... packets per second from a range of IPs that I cannot completely trace. ... http requests for port 80. ... The requests cycle through from one IP after the next and ...
    (Security-Basics)
  • Re: TCP stack bug related to F-RTO?
    ... On the wrong tcp checksum, that's because of hardware checksum offload. ... As for the seq/ack number, because the trace is long, I deliberately removed those irrelevant packets between after the three-way handshake and when the problem happens. ... The client opens up a big window, ...
    (Linux-Kernel)
  • RE: how to trace what is accessing the nic ?
    ... how to trace what is accessing the nic? ... > There is happening something very strange on one of our Linux ... > packets to always the same private address. ... This e-mail message is private, is intended for the recipient named in it and may contain material which is confidential and privileged. ...
    (Security-Basics)
  • Re: TCP stack bug related to F-RTO?
    ... in the trace), but all of them are dropped due to some ... Server is still in slow start mode, ... time retransmission timer expiring before retransmit the lost packets. ...
    (Linux-Kernel)