Re: IP Flooding

From: StarScripter (me_at_privacy.net)
Date: 08/19/03


Date: Tue, 19 Aug 2003 09:53:21 -0400


==> *Hamish* from: hamish2444@yahoo.com
==> scribbled in: rup0b.46046$bo1.8283@news-server.bigpond.net.au

> I have a Win2K server that is demonstrating signs of IP spoofing and
> Denial of Service. The server connects to the internet via a DUN
> connection shared using ICS. In the last two days the network has slowed
> to nothing and several network apps including mail and web access have
> failed while trying to access resources on the server or on the external
> network.
>
> I have noticed that while the DUN connection is active the modem and DUN
> properties indicates a constant stream of data being uploaded from the
> server. The network functions normally when the DUN connection is
> disabled.
>
> The problem is not ISP specific as I have tried alternates. There is no
> firewall present (please no lectures, its not my network).
>
> Can anyone help me to isolate the cause of this problem?

Hi,

It's probably the w32.welchia worm looking for the msblaster worm to try and
remove
it. So the whole planet is being scanned, it's like the blind leading the
blind.
More info here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
and here:
http://vil.nai.com/vil/content/v_100559.htm

HTH

-- 
Cheers,
           Star
--