nanog mailing list archives
Re: ELF/Scalper-A Spreading?
From: "Johannes Ullrich" <jullrich () sans org>
Date: Fri, 26 Jul 2002 00:01:23 -0400
On Thu, 25 Jul 2002 20:30:38 -0700 (PDT) "senthil ayyasamy" <mplsgeek () yahoo com> wrote:
Our border ACLs are catching about three thousand UDP/2100 hits every minute tonight. Is anyone else seeing this? It seems as if ELF/Scalper-A (the Apache/FreeBSD worm) is spreading.http://www.dshield.org/port_report.php?port=2100 Their is no major activity across 2100.
Since the 2100 traffic would be a targeted DDOS attack, it will not show up globally. Also, didn't Scalper use a commodity DDOS engine? So the 2100 traffic you see is not necessarily from Scalper but could be from something else that uses the same ddos engine.
But activity in more across 17300. (http://www.dshield.org/port_report.php?port=17300) what might be the reason?
yeah. if anybody has packet captures. Probably not appropriate
for the Nanog list. But just send them to me.
--
---------------------------------------------------------------
jullrich () sans org Collaborative Intrusion Detection
join http://www.dshield.org
Current thread:
- ELF/Scalper-A Spreading? Drew Linsalata (Jul 25)
- Re: ELF/Scalper-A Spreading? senthil ayyasamy (Jul 25)
- Re: ELF/Scalper-A Spreading? Johannes Ullrich (Jul 25)
- Re: ELF/Scalper-A Spreading? senthil ayyasamy (Jul 25)
- Re: ELF/Scalper-A Spreading? Johannes Ullrich (Jul 25)
- <Possible follow-ups>
- Re: ELF/Scalper-A Spreading? Drew Linsalata (Jul 26)
- Fwd: Re: ELF/Scalper-A Spreading? senthil ayyasamy (Jul 26)
- Re: ELF/Scalper-A Spreading? senthil ayyasamy (Jul 25)