Incidents, Today from 12:00 -- 13:00 PDT we detected a large amount of mysql traffic across our link, more than we've ever seen. Our network was being sent traffic not even destined for IP space (discovered in analysis, we'll be working with our ISP to figure out why) however we captured 1.2 gigs of it in a few minutes and in looking through the data the src_port of most hosts is 3306 (mysql). Many of the src_hosts are unreachable by us, but of the few that we did get through to, many are infact running mysql. (4.0.10 seemed to be one I remember) Has anyone else seen traffic like this spike in the last day or so? the destination is in the 66.220.17/24 range. (not our network, but what we captured) Due to the amount of data, I haven't put it online, but if someone wants to look at it, ping me offlist. We have a 1.2 gig pcap dump. Thanks, David Ulevitch ---------------------------------------------------- David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis ---------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 07:51:23 PDT