Re: [swinog] massive udp attacks from 67.228.4.81
hi, of course im just fighting the symptoms but it worked for us and for this weekend :-) any idea what the disease is? on Friday in the evening it suddenly stopped after about 44 millions of packets. and know only silence from this source... from which sources are u experiencing this UDP queries? at our site the packets were not really queries, just unknown data and no usable header info... i think it was some sort of attack against one of our customer, he got the most of these packets according to the netflow data... Marco Tobias Göller wrote: Hello, Since the protocol is UDP I wouldn't be too surprised if effective sender is using multiple hosts to send UDP Data. So in fact, what you're doing, is just fighting the symptoms and not the desease. I have certain doubts that subxtreme.net is the real origin. I myself am experiencing an abnormal amount of UDP Queries to this port as well - although the rate is much lower than at your site (about 20'000/min). CU Tobias On May 30, 2008, at 6:20 PM, Marco Fretz wrote: Hi everybody, is there anyone else expecting massive UDP (mostly port 53) traffic from 67.228.4.81? Destinations are (possibly random chosen) ip address out of our AS3915. see attached netflow graph. We've now blocked the ip address and got over 3.7 million blocks within 10 minutes. I just wrote this issue to the corresponding abuse ([EMAIL PROTECTED]) , a provider in Brazil as i know so far. Thanks for any feedback. have a nice weekend, best regards Marco ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] massive udp attacks from 67.228.4.81
Hello, Since the protocol is UDP I wouldn't be too surprised if effective sender is using multiple hosts to send UDP Data. So in fact, what you're doing, is just fighting the symptoms and not the desease. I have certain doubts that subxtreme.net is the real origin. I myself am experiencing an abnormal amount of UDP Queries to this port as well - although the rate is much lower than at your site (about 20'000/min). CU Tobias On May 30, 2008, at 6:20 PM, Marco Fretz wrote: Hi everybody, is there anyone else expecting massive UDP (mostly port 53) traffic from 67.228.4.81? Destinations are (possibly random chosen) ip address out of our AS3915. see attached netflow graph. We've now blocked the ip address and got over 3.7 million blocks within 10 minutes. I just wrote this issue to the corresponding abuse ([EMAIL PROTECTED] ) , a provider in Brazil as i know so far. Thanks for any feedback. have a nice weekend, best regards Marco ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] massive udp attacks from 67.228.4.81
Hi everybody, is there anyone else expecting massive UDP (mostly port 53) traffic from 67.228.4.81? Destinations are (possibly random chosen) ip address out of our AS3915. see attached netflow graph. We've now blocked the ip address and got over 3.7 million blocks within 10 minutes. I just wrote this issue to the corresponding abuse ([EMAIL PROTECTED]) , a provider in Brazil as i know so far. Thanks for any feedback. have a nice weekend, best regards Marco ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog