isprime DOS in progress

Aaron Hopkins lists at die.net
Wed Jan 21 18:21:23 UTC 2009


On Wed, 21 Jan 2009, Phil Rosenthal wrote:
> This attack has been ongoing on 66.230.128.15/66.230.160.1 for about 24 hours 
> now, and we are receiving roughly 5Gbit of attack packets from roughly 
> 750,000 hosts.

I'm only receiving NS queries for "." from spoofed 66.230.128.15 and
66.230.160.1 via above.net (of my three transit providers) and none from
peering.  This usually indicates a single source, such as one rooted machine
on non-BCP38 net spewing most of a gigabit.

> Given the attack is still in progress, I can't really say much more publicly, 
> but suffice to say, we're working on the situation.

Have you had any luck tracking back the source of the spoofed packets?    If
me talking to above.net sounds useful, let me know.

                                     -- Aaron




More information about the NANOG mailing list