[65910] in North American Network Operators' Group
Re: Most up to date packet size distribution info
daemon@ATHENA.MIT.EDU (Petri Helenius)
Thu Dec 18 03:21:16 2003
Date: Thu, 18 Dec 2003 10:19:49 +0200
From: Petri Helenius <pete@he.iki.fi>
To: Deepak Jain <deepak@ai.net>
Cc: Hank Nussbacher <hank@att.net.il>, Jeff Kell <jeff-kell@utc.edu>,
rhealey@onvoy.com, nanog@merit.edu
In-Reply-To: <3FE15D9F.3030508@ai.net>
Errors-To: owner-nanog-outgoing@merit.edu
Deepak Jain wrote:
>> Infected machines send up to 300pps per machine of ICMP packets which
>> fall into
>> the 96 slot above. So in this example you probably have many of them.
>>
>
> Couldn't this also mean he is being probed/attacked by many as well?
>
Certainly but this high ratios are usually only attainable if you´re
close to
the source of the traffic. Try to match the 96 packet size fraction to
the ICMP fraction you have. Obviously the next thing to check is
where the traffic is coming (if you´re interested enough to get rid of it)
Pete
