RE: Has Anyone seen this?

From: Stewart John H SSSD (StewartJH@SUPSHIP.NAVY.MIL)
Date: 11/23/01


Message-ID: <76B92C2FC548D311A2DA0008C791893403551384@sssdexch.sssd.navy.mil>
From: Stewart John H SSSD <StewartJH@SUPSHIP.NAVY.MIL>
To: "'Roberto Moncayo'" <rmoncayo@disitem.com.mx>, Seth Keller <kellers@culver.k12.in.us>
Subject: RE: Has Anyone seen this?
Date: Fri, 23 Nov 2001 10:37:35 -0800

They are streaming media sites serving up mostly audio files.

John Stewart
Information Systems Security Manager
(619) 556-2774
(619) 726-1580 (Cell/Pager)

-----Original Message-----
From: Roberto Moncayo [mailto:rmoncayo@disitem.com.mx]
Sent: Thursday, November 22, 2001 4:33 PM
To: Seth Keller
Cc: security-basics@securityfocus.com
Subject: Re: Has Anyone seen this?

At the first, try using a Access List in your border router..... here is
some information about the IP

iBEAM Broadcasting Corporation (NETBLK-IBEAM)
        645 Almanor Ave, Suite 100
        Sunnyvale, CA 94086
        US

        Netname: IBEAM
        Netblock: 216.106.160.0 - 216.106.175.255
        Maintainer: BEAM

        Coordinator:
           Newton, Mike (MN179-ARIN) mnewton@ibeam.com
           408/523-1646

        Domain System inverse mapping provided by:

        NS1.IBEAM.COM 216.35.151.103
        NS2.IBEAM.COM 204.247.99.125

        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

        Record last updated on 02-May-2001.
        Database last updated on 21-Nov-2001 19:54:03 EDT.

Good look

----- Original Message -----
From: "Seth Keller" <kellers@culver.k12.in.us>
Sent: Wednesday, November 21, 2001 2:39 PM
Subject: Has Anyone seen this?

> I don't think my first post made it through, so here goes again. Our web
server has been completely bombarded for about four hours now by a specific
range of IP addresses. Our T1 line has been at 100% capacity during this
ordeal. We are receiving around 250 packets per second from a range of IPs
that I cannot completely trace.
>
> The range is 216.106.166.141 through 216.106.166.141. All packets appear
to be legit http requests for port 80. The requests cycle through from one
IP after the next and then the cycle starts over. I have tried using
http://www.network-tools.com to trace the numbers to no avail. I can only
get within the last five nodes before the trace times out.
>
> Does anyone have any ideas what this may be? I'm thinking maybe a new
worm or a DOS but I'm not sure yet. Thanks in advance.
>
> Seth Keller
> Culver Community Schools
> A+/N+/CIW
> Intel Certified Integration Specialist 2000/2001
>
>