Chris, >Uhm, I'm quite positive that 97.8 mBit coming in through our uplink are >a pretty good indicator for an attack. without any idea of what kind of traffic it was, I would not assume anything. For one thing, can you prove that the traffic was externally generated? Looking at how aggressively slammer scanned, I would not discount that the traffic could be generated by a worm within your network. Without knowing the destination of the "DOS" packets, you can't tell if it was a routing messup that sent a torrent of data to you. >And by "probing" I meant that maybe the attacker only tried to determine >our maximum bandwidth for a larger-scale attack, since the DoSes stopped >fairly soon without any outer influence. Then again, it could be someone on your internal network probing to see how much they can slow down Yahoo using your bandwidth. I just don't think we should rush to conclusions without knowing anything about the traffic. Brian
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 08:24:24 PDT