Educause Security Discussion mailing list archives
Re: new outbreak of Slammer?
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 25 Aug 2004 12:04:10 -0500
A graph of UDP 1434 activity on Internet2 Abilene for the past 14 days can be seen at: http://www.ren-isac.net/monitoring/port-costa.cgi?udp_dst_1434_packets Definitely seeing increased activity. The IT-ISAC also reported today seeing increased activity on UDP 1434. Activity on a number of common application and threat vector ports can be viewed at: http://www.ren-isac.net/monitoring.cgi Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net At 10:28 AM 8/25/2004 -0500, Scott Genung wrote:
All, We are seeing large volumes of DoS traffic originating from what appears to be a new outbreak of Slammer. It all started around 4:30p yesterday afternoon and has doubled our inbound Internet volume. We are effectively blocking this traffic at the edge our network through filters and IPS. Anyone else seeing this? Below is one page of the logs we see on our IPS. Hit Count Time Name Category Type Src. Addr. Src. Port Dst. Addr. Dst. Port Device Segment Severity Trace 1 08/25/2004 09:58:25 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.4.43.20 2656 138.87.205.1 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:54:43 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.4.43.20 2656 138.87.88.42 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:59:09 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.4.117.112 1038 138.87.209.231 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:07:25 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.7.201.213 1421 138.87.10.94 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:55:33 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.7.201.213 1421 138.87.119.0 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:08:47 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.7.201.213 1421 138.87.253.215 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:15:54 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.128.176 1049 138.87.135.161 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:58:01 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.128.176 1049 138.87.115.126 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:57:33 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.69.121 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:02:58 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.51.74 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:56:13 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.200.43 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:11:36 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.233.99 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:08:01 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.14.215 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:55:57 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.10.167.4 3471 138.87.175.130 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:51:16 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.11.254.155 3377 138.87.164.144 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:08:31 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.11.254.155 3377 138.87.160.85 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:05:58 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.16.224.138 2827 138.87.72.48 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:15:09 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.34.132.171 3363 138.87.254.30 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:53:01 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.34.132.171 3363 138.87.207.129 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:01:23 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.46.99.0 1461 138.87.228.10 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:02:16 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.46.99.0 1461 138.87.192.137 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:07:00 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.46.99.0 1461 138.87.12.4 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:51:31 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.46.99.0 1461 138.87.17.4 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:10:23 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.231.144 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:05:59 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.119.9 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:58:28 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.38.119 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:59:21 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.214.43 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:03:59 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.185.96 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:01:50 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.76.24 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:04:17 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.47.238.235 3101 138.87.98.155 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:56:44 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.60.48.218 4879 138.87.190.87 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 09:56:53 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.60.48.218 4879 138.87.149.229 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:01:36 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.60.48.218 4879 138.87.158.18 1434 stv7Dips1 STV-GW Critical 0 1 08/25/2004 10:13:09 AM 1456: MS-SQL: Slammer-Sapphire Worm Attacks - Exploits Block 4.60.48.218 4879 138.87.239.251 1434 stv7Dips1 STV-GW Critical 0 Scott Genung Manager of Networking Systems Telecommunications and Networking Illinois State University 124 Julian Hall Normal, IL 61790-3500 Phone: (309)438-7258 Web: http://www.tel.ilstu.edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- new outbreak of Slammer? Scott Genung (Aug 25)
- <Possible follow-ups>
- Re: new outbreak of Slammer? Doug Pearson (Aug 25)