Hi Guys, Since we're in the topic of firewalls... just some comments.
One thing my fw is reporting about is that my internal net is requesting/being hit by the ads.web.aol.com website, three times more htan any other site. The other thing I'm seeing when I check based on bandwidth usage by host, one of my linux boxes running rh 7.3 (cd roaster) is using by far about 4 times any other box. I've checked netstat, lsof, ps, top, nmap [889/tcp open unknown]. I can't seem to be able to tell what could hogging the pipes. This box is on the network and shouldn't be running any other unneeded services. When I do a bandwidth by service at my firewall I get this: "TCP Port 2937". It appears to be using 50% more than anything else. And then "TCP Port 4366" is the next one in bandwidth consumption. Open for other comments. Rafael. On Fri, 2004-03-19 at 11:55, Curtis Sloan wrote: > So, it may or may not be Blaster/Welchia related activity, but rather any old > virus/worm trying to DDoS a selected target (that DNS maintainers have seen > fit to resolve to 127.0.0.1). Hey, maybe it's trying to DDoS SCO! Ooh, > ethical quandry... ;-) j/k > > Curtis > > On Fri March 19 2004 09:37, Michael Petch wrote: > > Interesting. Some ISP's running DNS services might mark some domain > > names with an IP address of 127.0.0.1 to mitigate a Denial of service > > attack against the domains in question (Of course 127.0.0.1 addresses > > will be resolved back to the local computer). > > > > I find it a bit odd that the destinations are internal network addresses > > (I assume internal machine IP address is a non-routable IP address on > > the internet?) > > > > I know when the blaster worm was circulating Sprint set some of their > > DNS servers to point windowsupdate.com at 127.0.0.1 . > > > > Just some ideas. > > > > On Thu, 2004-03-18 at 21:57, Shane&Lisa wrote: > > > Hi all, is any body else getting firewall logs yelling: > > > > > > 127.0.0.1 on port 80 (external) to <internal machine address> port < > > > unprivileged port # > (internal) > > > > > > over and over again? > > > > > > I'm just getting pounded with these... > > > > > > Ideas? > > > > > > Shane > > > > > > > > > _______________________________________________ > > > clug-talk mailing list > > > [EMAIL PROTECTED] > > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca -- J. Rafael Sánchez Systems Administrator Itres Research Limited (p) 403.250.9944 (f) 403.250.9916 _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
