King, Brian wrote: > without any idea of what kind of traffic it was, I would not assume > anything. For one thing, can you prove that the traffic was externally > generated? Looking at how aggressively slammer scanned, I would not > discount that the traffic could be generated by a worm within your > network. Without knowing the destination of the "DOS" packets, you > can't tell if it was a routing messup that sent a torrent of data to > you. I can discount that. The traffic is inbound on the switch to our network segment, so it is at least not generated inside our rack. > Then again, it could be someone on your internal network probing to see > how much they can slow down Yahoo using your bandwidth. I don't get that. If someone would be using my bandwidth, how come I see 100 mbit INBOUND, not OUTBOUND? To clarify all this a bit, I have uploaded our uplink provider's rrdtool image for the last 24 hours to http://www.christopher-kunz.de/images/dos_1.png The other two spikes are very similar in height and length. --ck -- php development | hosting | housing | professional game server hosting http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 10:45:00 PDT