New worm/DOS/Level3 routing issues

• Previous message (by thread): 11-25-03 DDoS Juniper Filter
• Next message (by thread): New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

repost* Forgive me if this shows up twice. Mail is flaked via this smtp, and
the last time I sent this, I accidentally sent it to the individual and not
list. heh.

Temporary block in place. My border cpu was starting to hammer up.

Outbound stat about 2 minutes later:
    deny udp any any eq 1434 (445523 matches)
    permit ip 69.8.0.0 0.0.63.255 any (55749 matches)
    permit ip 206.27.138.0 0.0.1.255 any
    permit ip 206.30.96.0 0.0.31.255 any (97851 matches)
    permit ip 205.162.224.0 0.0.15.255 any (146920 matches)
    permit ip 205.240.128.0 0.0.15.255 any (49146 matches)
    permit ip 204.249.192.0 0.0.15.255 any (27351 matches)
    permit ip 192.133.7.0 0.0.0.255 any (5 matches)
    permit ip 63.136.128.0 0.0.3.255 any (379 matches)
    permit ip 216.226.0.0 0.0.31.255 any (27173 matches)
    permit ip 64.58.32.0 0.0.15.255 any (17368 matches)
    permit ip 206.230.34.128 0.0.0.127 any
    permit ip 209.54.40.0 0.0.1.255 any
    permit ip 206.61.140.0 0.0.0.255 any (52 matches)

Inbound stat at same time:
    deny udp any any eq 1434 (53534 matches)
    permit ip any any (431556 matches)

cpu load drop of about 20%....Definately a bad port. virus suspected due to
inbound and outbound.


Jack Bates
Network Engineer
BrightNet Oklahoma

• Previous message (by thread): 11-25-03 DDoS Juniper Filter
• Next message (by thread): New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]