Today we've experienced some heavy outages of a well noticed system. We digged it down to traffic between a routing inter- face in front of the system and many highly random IPs around the world. We are sure, that some of these random IPs are un- used IPs (as some of them belong to net blocks which we main- tain). There a two theories we currently investigate in: 1) The router went mad, mixing up his routing table, sending wired packets out and then was overloaded by the replies. 2) We've been hit by some kind of DOS against the router or the system behind (with forged source IPs). Unfortunately we haven't been able to capture a FULL packet du- ring this time (too many calls, too many other paths we had to investigate ...). If you run a honeypot or caught by some lucky circumstances a full packet coming from the following IPs, we would appreciate, if you could sent it to us (tcpdump, snoop or the raw packet content). 194.122.245.58 194.122.245.62 Depending of the packet content, we might have a better idea, of what was going on. Thanks in advance, Markus. -- KPNQwest Germany GmbH * Emmy-Noether-Str. 9 * D-76131 Karlsruhe [T] +49 721 9652 213 [F] +49 721 9652 171 [M] +49 173 5166209 [E] Markus Weber <Markus.Weberat_private> [I] www.kpnqwest.de Geschäftsführer: M.Müller-Berg/R.Williams, Amtsgericht KA/HRB8161 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Apr 21 2002 - 19:24:19 PDT