New worm / port 1434?

• Previous message (by thread): New worm / port 1434?
• Next message (by thread): New worm / port 1434?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated.  The origin of the ICMP has
been traced to a customer application.

-jr

* Josh Richards <jrichard at cubicle.net> [20030125 00:21]:
> 
> A preliminary look at some of our NetFlow data shows a suspect ICMP payload
> delivered to one of our downstream colo customer boxes followed by a
> 70 Mbit/s burst from them.  The burst consisted of traffic to seemingly random
> destinations on 1434/udp.  This customer typically does about 0.250 Mbit/s
> so this was a bit out of their profile. :-)  Needless to say, we shut them
> down per a suspected security incident.  The ICMP came from 66.214.194.31 
> though that could quite easily be forged or just another compromised box.  
> We're seeing red to many networks all over the world though our network seems 
> to have quieted down a bit.  Sounds like a DDoS in the works.  
> 
> Anyone else able to corroborate/compare notes? 

----
Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }>
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA 
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek

• Previous message (by thread): New worm / port 1434?
• Next message (by thread): New worm / port 1434?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]