I am witnessing SQL Slammer IDS events on an internal sensor that aren't coming from one particular source. In fact, every packet sent has a unique and random source IP as well as a unique and random destination IP. The data in the packet matches the one shown at http://isc.incidents.org/analysis.html?id=180. We have UDP 1434 blocked around the perimeter and believe this traffic to be originating from a system within the internal network. The rate of packets at around 2-6 packets per minute isn't as high as the original SQL Slammer traffic I have been seeing (at thousands of packets per minute). But this is going to be difficult to track down on a large network. If it spreads, 2-6 packets per minute per infected host with thousands of internal systems... The first spell was between 03/27/2003 1023 and 1100 PST. It picked up again at 1431 PST on 3/28/2003 and hasn't stopped yet. Thoughts? Similar experiences? Note to coworkers - if this is a practical joke on me it's a good one. -Aaron ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 13:47:25 PST