new worm providing DDOS attack too ...

Peter Van Epp vanepp at sfu.ca
Mon Sep 16 15:31:11 GMT 2002


	It appears the SSL worm will provide a (possibly inadvertant) DDOS 
attack against any infected host as well. This is towards our single (so far)
infected host which was removed from the network Friday afternoon. While we
have big pipes and this is hardly noticable, a site with more compromised
hosts and/or smaller pipes may have more problems as may the transit pipes 
that will be aggregating all this traffic. This may turn out to be the most
serious outcome of this worm. At least some of these look to be DSL or cable
modems who have a poor record of being willing or able to do anything about
stopping this at the source (although I suppose a filter on UDP 2002 at 
the transit ingress router may give them so incentive :-)):

Mon 09/16 06:30:05      udp   62.89.116.182.2002   ->   aaa.bb.ccc.dd.2002  32     0       1568      0        INT
Mon 09/16 06:30:05      udp  80.198.241.237.2002   ->   aaa.bb.ccc.dd.2002  13     0       637       0        INT
Mon 09/16 06:30:06      udp   63.173.240.32.2002   ->   aaa.bb.ccc.dd.2002  33     0       1617      0        INT
Mon 09/16 06:30:07      udp  165.95.141.246.2002   ->   aaa.bb.ccc.dd.2002  1      0       49        0        TIM
Mon 09/16 06:30:07      udp   140.114.99.41.2002   ->   aaa.bb.ccc.dd.2002  66     0       3253      0        INT
Mon 09/16 06:30:08      udp  43.230.132.100.2002   ->   aaa.bb.ccc.dd.2002  27     0       1323      0        INT
Mon 09/16 06:30:05      udp 199.166.219.164.2002   ->   aaa.bb.ccc.dd.2002  50     0       2488      0        INT
Mon 09/16 06:30:09      udp   61.221.120.54.2002   ->   aaa.bb.ccc.dd.2002  1      0       49        0        TIM
Mon 09/16 06:30:07      udp  203.199.89.167.2002   ->   aaa.bb.ccc.dd.2002  65     0       3185      0        INT
Mon 09/16 06:30:06      udp    141.142.2.74.2002   ->   aaa.bb.ccc.dd.2002  196    0       9699      0        INT
Mon 09/16 06:30:07      udp  216.147.158.78.2002   ->   aaa.bb.ccc.dd.2002  47     0       2341      0        INT
Mon 09/16 06:30:11      udp   128.122.47.58.2002   ->   aaa.bb.ccc.dd.2002  46     0       2349      0        INT



More information about the unisog mailing list