Ryan Ghering wrote:
> As a side note, my upstream called this morning, asked if they could remove
> the access-list, stating its policy to only leave ACL's in place for 12 to
> 24 hours.
> I asked them If this was conficker what can be done to permently block it.
Do they have an IPS in place?
Ryan Ghering wrote:
> what other
> attacks use 445 tcp ?
tcp/445 is probably one of the most-attacked ports on the Internet, so
that's not terribly unusual.
http://isc.sans.org/port.html?port=445 has an interesting historical
list of different attacks that use that port, going back to 2002. One
If 445 is the Windows SMB port then a whole bunch of viruses use it.
Something like 90% of viruses?
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
"When you have eliminated the impossible, that which remains, however
improbable, must be the truth."
So last night at about 10 pm we started to receive the largest flood I have
ever seen. It looked like a DDOS attack, looking into my router
the tcp flow showed an input queue of over 100 million pps on my DS3
upstream. By default we block all Microsoft internal ports in and out bound
on our upstrea