So last night at about 10 pm we started to receive the largest flood I have ever seen. It looked like a DDOS attack, looking into my router the tcp flow showed an input queue of over 100 million pps on my DS3 upstream. By default we block all Microsoft internal ports in and out bound on our upstream. i.e 137 138 445 etc. port 445 deny showed 3.1 million hits. I cleared the counters, contacted my upstream, they see it as well. They input a Access-list to block port 445 and the attack starts dropping off. ( took about 10 mins for the network buffers to clear and the load to drop on my routers ). The question is was this caused by conficker? what other attacks use 445 tcp ?
As a side note, my upstream called this morning, asked if they could remove the access-list, stating its policy to only leave ACL's in place for 12 to 24 hours. I asked them If this was conficker what can be done to permently block it. They tell me this is my issue not theres. So I have to take a chance in 12 hours when they remove the ACL that my network will be screwed again. An log export shows in just a 10 minute period over 18,000 address's denyed on 445 tcp. Needless to say it was a long night. and a screwed up morning. Has anyone else experianced a similar flood on 445 recently? Ryan -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
