Re: 2002/udp flood

From: Mike Nowlin (mikeat_private)
Date: Tue Aug 27 2002 - 23:03:04 PDT

  • Next message: Joe Kellner: "Re: 2002/udp flood"

    Richard L. Anderson writes: 
    > I have a FreeBSD web server that is receiving large amounts of UDP
    > traffic to port 2002.  Here is an example of the traffic I'm seeing
    > (Source and Destination IP addresses scrubbed):
    Welcome to the club...  :) 
    We have been experiencing the same thing for a little over a week, on and 
    off.  Sometimes, there's enough incoming UDP traffic to slow access to a 
    crawl, other times it's just a mild irritant (knowing that it's there), and 
    other times, it's completely gone.  We were attacked via the Apache bug a 
    few weeks ago with the UDP port 2001 floods along with it - fixed the 
    server, removed the backdoor, and all was well for about two weeks.  Then, 
    this started all over again on port 2002.  (This time, however, I don't see 
    any evidence of an intrusion - just the UDP flooding.) 
    I'm not sure what this all adds up to - a lack of any similar reports made 
    me think that we were under an "aimed specifically at you" DDoS attack, but 
    now I'm wondering... 
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 10:28:30 PDT