Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5)

I monitor about 35 networks.  Two of them are getting lots of hits,  
the rest are not.  I see 197 unique hosts sending out the traffic.

It's gotta be 'bot traffic.  So our choices are send a letter to the  
owning ISP or shun them.  or do nothing.

for me the only relevant question is, "bot or not?"

If it really becomes overwhelming I might turn off the inbound probes  
and the outbound replies.

Is there any chance this is not bot traffic?

jp


Quoting Matt Jonkman 
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>:

> I've seen an increase, but not near that scale. It would seem to be an
> intentional thing.
>
> Perhaps we need to threshold those sigs, maybe once every 5 minutes by
> source. I'll do so.


> > Over the last 24 hours we have had about 50 sources fire 20 million ping
> > packets containing the string that triggers the Allaple signature.  The
> > only affect it has has is to gum up my snort database.   I don't believe
> > this is worm traffic and if is a ddos it is pretty feeble.  It was
> > however a fairly effective dos against my snort system -- two sensors
> > saw this traffic so that's a total of over 40 million events in the
> > database.  :(
> >
> > I have now disabled all those rules and am (slowly) deleting all the
> > records from the data base.   Can I suggest that these rules be disabled
> > by default with a comment saying why.
> >
> > Anyone got any idea why this traffic was sent (I doubt if they were
> > really trying to attack my snort system).   They have sent enough
> > traffic to random addresses to map our network 200 times over.



-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx