Today one of our networks was almost destroyed by an attack, which appeared to effect SNMP, and was machine specific, packets came into one of our machines, and dropped the network. We called our upstream, and they told us that 100% of our T3 was filled. On an average day we use maybe 15M, but it was maxing it to 45. After not being able to get any response from the machine, and unplugging the ethernet, we could login via console, and noticed "mibiisa" was running using 98% CPU usage. We run the command with "mibiisa -p 32811" Our upstream thought it was a smurf, however a smurf wouldn't have attacked just snmp. From just the small amount of logs that they sent us, there were 203 unique hosts that sent the attack. Logs looking like this: Nov 16 13:15:28: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 1.1.1.1(0) -> 0.0.0.0(0), 1 packet I had heard that there were alteration of the "smurf" attack, but could this be one of them? *---------------------* | Erik Parker | | netmaskat_private | | IDC NetOps | *---------------------* | *--------------------------------* | http://www.303.org/ | | ICQ # 9780056 | | talk netmaskat_private | *--------------------------------*
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:35 PDT