[48043] in North American Network Operators' Group
Re: DoS on ftp port
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Tue May 21 16:34:58 2002
Date: Tue, 21 May 2002 21:33:56 +0100 (BST)
From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk>
To: Brian Wilson <wilson@unity.ncsu.edu>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0205210912430.29854-100000@pound.ifndef.com>
Message-ID: <Pine.LNX.4.21.0205212132030.9028-100000@staff.opaltelecom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
I saw a similar type of attack at the same time to one of my
customers.. not got all the details in yet, odd tho. If anyone knows more
will you CC me in case its related,
Cheers
STeve
On Tue, 21 May 2002, Brian Wilson wrote:
>
> On Tue, 21 May 2002, Brian Wilson wrote:
>
> >
> >
> > Just wondering if anyone else has seen this happen recently:
> > https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html
> >
> > We maxed out at about 10,000 flows/sec. I'm currently going back through
> > our argus logs and collecting a list of source hosts (all appear to be
> > spoofed of course). In a 15 minute period we had 4.2 million unique hosts
> > pounding one of our servers.
> >
> > The only reason I post this is that on some other off-campus machines I
> > maintain, I've seen an increase in ftp connections. So, I was wondering
> > if this is some new worm, ddos, or something of that nature. If anyone
> > would care to comment, I'm all ears.
>
> Oh, FYI..
>
> This happened between 6 and 7 am EST this morning (5/21/2002). Normal
> traffic for us at this time is <50Mbps, but at this time it peaked out at
> about 130Mbps.
>
> Also, and someone referred me to this:
> http://www.dshield.org/port_report.php?port=21
>
> Brian
>
>
