Hi I had an incident on the weekend. Detected a lot of SNMP authorization failures to my router from a customer for about 2 days, terminating in an inbound DoS attack (SYN-flood) targetting the customer. I suspect the customer machine is compromised and used for scanning .. maybe running an IRC bot as well, which caused the focused DoS attack. The bit I'm curious about is that the exact same interface on my router experienced some VIP crashes (device is a Cisco 7513) during the same time, and often times very close to the scans. We've had other problems with VIP crashes on the 7513, but I'm always suspicious when associated with malicious activity. Anybody seen similar activity where a scan or DoS takes out a card? Possibly a scanning tool generating funny packets? Thanks for any info ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 09:32:57 PST