[55184] in North American Network Operators' Group
Re: 1434 traffic
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sat Jan 25 17:17:20 2003
Date: Sat, 25 Jan 2003 15:31:49 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Sean Donelan" <sean@donelan.com>
Cc: nanog@merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <Pine.GSO.4.44.0301250334120.10247-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
> What I'm seeing from on my personal network connections is a lot of
> traffic to udp port 1434 start at 05:30:08 UTC.
I did some graphing of reports we got to DShield/ISC up to 9am EST.
http://isc.sans.org/port1434start.gif
The part that amazes me is the speed. It saturated within 1 minute!
Does anybody else see the oscillations in traffic? I remember seeing
something similar in netflow data for slapper (2002 udp). Or is this
just an artifact of our particular dataset?
So far, we got about 80,000 sources (distinct IPs sending port 1434
packets)
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
