Hi, Port 7 is echo and your "attacker" addresses are probably on amplifier networks (i did not check though). Looks like ol' good Fraggle attack - http://www.sans.org/infosecFAQ/threats/dos_attacks.htm Alexander Newald wrote: > > Hello, > > on the 15. of June on of my mashines got hit by a udp flood. > > As I only log one entry per host per secound I only can tell that I had > 1704 logentries and 457 diffrent source ip's in 5 minutes starting from > 9:21 cest ending 9:34 cest. All was udp traffic with source port 7 and > dest ports 326,21645,32390,58619 with most hit 21645. > > As the list of all the source mashines is a bit too long to post by mail I > put it on one of my webservers: > > http://www.newald.de/udp_flood_15.6.2001.txt > > The most important thing I like to know is: Wy these ports? Or does this > only be a try to dos the bandwidth? > > Thanks, > > Alexander Newald > > Alexander Newald alexanderat_private > Wunstorfer Strasse 72 www.newald.de > 30453 Hannover > Germany
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:09:38 PDT