ELF/Scalper-A Spreading?
Johannes Ullrich
jullrich at sans.org
Fri Jul 26 04:01:23 UTC 2002
On Thu, 25 Jul 2002 20:30:38 -0700 (PDT)
"senthil ayyasamy" <mplsgeek at yahoo.com> wrote:
>
>
> > Our border ACLs are catching about three thousand
> > UDP/2100 hits every minute
> > tonight. Is anyone else seeing this? It seems as
> > if ELF/Scalper-A (the
> > Apache/FreeBSD worm) is spreading.
>
> http://www.dshield.org/port_report.php?port=2100
> Their is no major activity across 2100.
Since the 2100 traffic would be a targeted DDOS attack,
it will not show up globally. Also, didn't Scalper use
a commodity DDOS engine? So the 2100 traffic you see is
not necessarily from Scalper but could be from something
else that uses the same ddos engine.
> But activity in more across 17300.
> (http://www.dshield.org/port_report.php?port=17300)
> what might be the reason?
yeah. if anybody has packet captures. Probably not appropriate
for the Nanog list. But just send them to me.
--
---------------------------------------------------------------
jullrich at sans.org Collaborative Intrusion Detection
join http://www.dshield.org
More information about the NANOG
mailing list