If the source IP address are Windows NT machines running IIS, read: http://www.securityfocus.com/bid/1806 Patch the box then review your web logs. On Wed, 13 Jun 2001, Vangelis Haniotakis wrote: > Hi. > > Over the last few days, our outgoing traffic has increased tremendously. > On examination of our Netflow logs, a couple of our hosts seem to be > transmitting big amounts of data with source and destination port 0 to a > small number of external hosts. > > Is this a DOS attack originating from our hosts? Is there a legitimate > reason for flows looking like this: > > src IP|dst IP|src port|dst port|prot|pkt count|flow sz|strt timestmp|end ts > 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|6575|6637824|992379494|988086327 > 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|5735|6088716|992379508|992381308 > > The protocol field is actually Cisco Netflow Collector's guess of the > protocol, not an indication of actual packet format. I'm not sure whether > these are indeed huge ICMP packets or something else, like data transfers. > Some of these flows are tens of MBs in size. > > Any assistance or recommendations would be very much appreciated indeed. > > Thank you very much for your time in advance. > > -- > Vangelis Haniotakis - Network & Communications Centre, University of Crete > > > >
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 17:29:10 PDT