High volumes of UDP traffic

Wed Dec 31 18:17:39 UTC 2003

	We've seen similar instances of these types of things usually
precipitated by a customer angering someone on IRC that they shouldn't have.
Its just a targeted DDoS either by someone who has owned a large number of
boxen on your network, or by someone who doesn't like people who owned a
large number of boxen on your network.

-Drew

-----Original Message-----
From: Anderson, Ian [mailto:i.anderson at lancaster.ac.uk] 
Sent: Wednesday, December 31, 2003 12:31 PM
To: nanog at merit.edu
Subject: High volumes of UDP traffic

A heads-up

Since yesterday afternoon we saw a large increase in offsite traffic circa
80,000pps directed at host deals.in.crackcocaine.us

17:02:52.527762 148.88.156.86.2571 > 69.50.162.82.7854: udp 1
17:02:52.527876 148.88.156.86.2571 > 69.50.162.82.3002: udp 1
17:02:52.527877 148.88.156.86.2571 > 69.50.162.82.37525: udp 1
17:02:52.527996 148.88.156.86.2571 > 69.50.162.82.6170: udp 1
17:02:52.527997 148.88.156.86.2571 > 69.50.162.82.39709: udp 1
17:02:52.528113 148.88.156.86.2571 > 69.50.162.82.9818: udp 1
17:02:52.528114 148.88.156.86.2571 > 69.50.162.82.57395: udp 1
17:02:52.528115 148.88.156.86.2571 > 69.50.162.82.18194: udp 1
17:02:52.528230 148.88.156.86.2571 > 69.50.162.82.55981: udp 1
17:02:52.528231 148.88.156.86.2571 > 69.50.162.82.42256: udp 1
17:02:52.528350 148.88.156.86.2571 > 69.50.162.82.41441: udp 1

These seem to be from various windows boxen on our network, due to our
campus being locked down we've not been able to examine closely the machines
and find out exactly what's going on, we've just disconnected them as an
interim measure.

Anyone else seen similar strangeness?  Is it coincidence or is it another
l33t haxor trying the old "no one's working on new years eve"??

Anyway a happy new year to all - I'm off to enjoy the party...

Ian

-- 
Ian Anderson
Network Support
Lancaster University, Lancaster, LA1 4YW
t: 01524 593019 ~ ip: 01524 510101 ~ f: 01524 844011
i.anderson at lancs.ac.uk 