[48035] in North American Network Operators' Group
Re: DoS on ftp port
daemon@ATHENA.MIT.EDU (Brian Wilson)
Tue May 21 10:18:35 2002
Date: Tue, 21 May 2002 09:17:44 -0500 (CDT)
From: Brian Wilson <wilson@unity.ncsu.edu>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0205210826470.28771-100000@pound.ifndef.com>
Message-ID: <Pine.LNX.4.21.0205210912430.29854-100000@pound.ifndef.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 21 May 2002, Brian Wilson wrote:
>
>
> Just wondering if anyone else has seen this happen recently:
> https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html
>
> We maxed out at about 10,000 flows/sec. I'm currently going back through
> our argus logs and collecting a list of source hosts (all appear to be
> spoofed of course). In a 15 minute period we had 4.2 million unique hosts
> pounding one of our servers.
>
> The only reason I post this is that on some other off-campus machines I
> maintain, I've seen an increase in ftp connections. So, I was wondering
> if this is some new worm, ddos, or something of that nature. If anyone
> would care to comment, I'm all ears.
Oh, FYI..
This happened between 6 and 7 am EST this morning (5/21/2002). Normal
traffic for us at this time is <50Mbps, but at this time it peaked out at
about 130Mbps.
Also, and someone referred me to this:
http://www.dshield.org/port_report.php?port=21
Brian
--
Brian Wilson wilson@ncsu.edu
Network Analyst W: 919.513.3472
Communication Technologies F: 919.513.1893
North Carolina State University http://www.ncstate.net
