[50338] in North American Network Operators' Group
Re: ELF/Scalper-A Spreading?
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Fri Jul 26 00:06:57 2002
Date: Fri, 26 Jul 2002 00:01:23 -0400
From: "Johannes Ullrich" <jullrich@sans.org>
To: "senthil ayyasamy" <mplsgeek@yahoo.com>
Cc: drew@gothambus.com, nanog@nanog.org
In-Reply-To: <20020726033038.13977.qmail@web20804.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 25 Jul 2002 20:30:38 -0700 (PDT)
"senthil ayyasamy" <mplsgeek@yahoo.com> wrote:
>
>
> > Our border ACLs are catching about three thousand
> > UDP/2100 hits every minute
> > tonight. Is anyone else seeing this? It seems as
> > if ELF/Scalper-A (the
> > Apache/FreeBSD worm) is spreading.
>
> http://www.dshield.org/port_report.php?port=2100
> Their is no major activity across 2100.
Since the 2100 traffic would be a targeted DDOS attack,
it will not show up globally. Also, didn't Scalper use
a commodity DDOS engine? So the 2100 traffic you see is
not necessarily from Scalper but could be from something
else that uses the same ddos engine.
> But activity in more across 17300.
> (http://www.dshield.org/port_report.php?port=17300)
> what might be the reason?
yeah. if anybody has packet captures. Probably not appropriate
for the Nanog list. But just send them to me.
--
---------------------------------------------------------------
jullrich@sans.org Collaborative Intrusion Detection
join http://www.dshield.org
