[Dshield] Pattern in SoBig attacks?

Doug White doug at clickdoug.com
Mon Sep 1 15:09:50 GMT 2003


I suggest that was a local networking problem, as here is Texas, there has been
no let up at all.
I am still getting an incredible quantity of ICMP (Pings) and port 135 probes.
The majority of them are coming from my own ISP's net block, with about 25% from
outside the network.
One statistic I have noticed is that there was a reduction in spam, exploiting
these proxies for a 48 hour period this weekend (CST), however, since 6 PM
Sunday evening through the current time, there has been an increase in spam on
an order of magnitude of 600% increase.

Another observation is that I have a mix of Linux and Windows servers on my
small network, and the Windows boxes are getting less than 10% of the probes
than the Linux boxes are.  (I have Snort on all of them)  I am now blocking
pings (Port 0) at the border router, and will add Port 135 sometime today.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "John Hardin" <johnh at aproposretail.com>
To: "DShield mailing list" <list at dshield.org>
Sent: Monday, September 01, 2003 9:23 AM
Subject: [Dshield] Pattern in SoBig attacks?


| There was another almost attack-free one hour period from 1100-1200
| Pacific time on sunday. This seems to match the one hour hole last
| sunday.
|
| Is anybody else collecting statistics that confirm this?
|
| http://boundary.aproposretail.com/~johnh/quarantine.html
|
|
| --
| John Hardin  KA7OHZ
| Internal Systems Administrator                    voice: (425) 672-1304
| Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
| -----------------------------------------------------------------------
|   There is no problem that cannot be solved by the appropriate
|   application of high explosives.
| -----------------------------------------------------------------------
|  65 days until Matrix Revolutions
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|




More information about the list mailing list