> Starting Tuesday night, we started getting complaints from customers in a
> specific net block of our network, all of whom were running small
> "personal" firewalls (Netgear, linksys etc) about:
Someone on that network is scanning/flooding it hard... probably from
a hacked box spoofing IP's. Last one I had was a linux boxen
with a 'udp.pl' running from a pseudo-root account. As it was
not actually making connections, many of the traffic/monitoring tools
had a hard time identifying it. We found it using ntop (ntop.org)
and the packet stats on the ethernet switches.
