On Thu, 19 Apr 2001, Crist Clark wrote: > The last router before the machine logging these would not happen to > be a Cisco? Would not happen to have directed broadcasts enabled? Unfortnately I don't have any control over our routers, and don't know how they're configured. > This looks like someone trying to UDP-chargen "smurf" 194.72.6.103. Can > you traceroute to that address and see if the distance jives with your > observation of about 11 hops (which you consider close?). That's about what I thought. I fired up tcpdump to see which MAC address was generating the traffic. Although the udp flooding had already stopped, I did see some new traffic with a destination address of 255.255.255.255, and a destination port of 21/tcp (one of the recent worms maybe?). Tcpdump showed the MAC address for that stuff as being the router's interface on my network. Mike -- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tiborat_private http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:15:16 PDT