[unisog] New Virus?

Peter Van Epp vanepp at sfu.ca
Fri Sep 12 04:09:40 GMT 2003


	It appears very spoofed (I just came in from swatting and sniffing one).
Both source and destination are random with no relation to the source net so
antispoof filters will catch it. It was on a 10 repeated segment and had pegged
the segment though so it is likely very fast and likely to be very deadly to
bandwith especially on a 100 port. I'd expect it to also flood the forwarding
tables in the switches although I haven't (yet) seen one on a switch port. It
may not be fast spreading either, ours has been here since this afternoon and
when we disconnected the closet it went to sleep until about an hour ago (or
was externally triggered I haven't seen the argus logs yet either). Looks like
its time that the antispoof filters move out the switches all through the 
network ...

Peter Van Epp / Operations and Technical Support 

On Wed, Sep 10, 2003 at 04:01:59PM -0400, Anderson Johnston wrote:
> 
> How spoofed?  We do egress filtering for anything leaving that is not from
> our /16 network.  Will it pick addresses from the same /16 or /24 subnet?
> 
> 					- andy
> 
> On Wed, 10 Sep 2003, Stephanie Hagopian wrote:
> 
> > - The victims connect to an IRC server and begin issuing DDOS commands
> > using spoofed IPs.
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------



More information about the unisog mailing list