RE: DoS "Probing" on one of our hosts

["King, Brian" <BKing () langleyfcu org>]

Chris,
> Uhm, I'm quite positive that 97.8 mBit coming in through our uplink are

> a pretty good indicator for an attack.
without any idea of what kind of traffic it was, I would not assume
anything. For one thing, can you prove that the traffic was externally
generated? Looking at how aggressively slammer scanned, I would not
discount that the traffic could be generated by a worm within your
network.  Without knowing the destination of the "DOS" packets, you
can't tell if it was a routing messup that sent a torrent of data to
you.  

> And by "probing" I meant that maybe the attacker only tried to
determine 
> our maximum bandwidth for a larger-scale attack, since the DoSes
stopped 
> fairly soon without any outer influence.
Then again, it could be someone on your internal network probing to see
how much they can slow down Yahoo using your bandwidth. 

I just don't think we should rush to conclusions without knowing
anything about the traffic.  

Brian

Attachment: smime.p7s
Description: