[182517] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last

daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jul 20 14:49:57 2015

X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: nanog@nanog.org
Date: Mon, 20 Jul 2015 20:49:54 +0200
In-Reply-To: <7e2983baf29e4e95801764be087687da@EXCHANGE2K13.thenap.com>
Errors-To: nanog-bounces@nanog.org

On 20 Jul 2015, at 18:12, Drew Weaver wrote:

> Ah, alright. I've seen the "general" amplification attacks 
> SNMP/DNS/NTP/you name it, plenty but this is the first one I've ever 
> seen one that targeted 1720/5060 and as its mitigated in one place it 
> keeps moving from dst to dst fairly rapidly until none of the dst ips 
> are available.

What source ports and breadth of purported source IPs?  I'm not sure 
this is reflection/amplification attack, it may be a straight packeting 
of H.323 systems.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[182517] in North American Network Operators' Group

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last

daemon@ATHENA.MIT.EDU (Roland Dobbins)Mon Jul 20 14:49:57 2015

daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jul 20 14:49:57 2015