If someone wants to send me IPs or other info off-list, I can look to
see if we have anything on it.
--
Andre' M. Di Mino - SemperSecurus
The Shadowserver Foundation
http://www.shadowserver.org
On 1/18/07, Matt Jonkman
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> wrote:
You still seeing those numbers of hits Russel?
Have you tried pinging some of the sources at random to see if they're
legit or spoofed?
Matt
Russell Fulton wrote:
> Hi
>
> Over the last 24 hours we have had about 50 sources fire 20 million ping
> packets containing the string that triggers the Allaple signature. The
> only affect it has has is to gum up my snort database. I don't believe
> this is worm traffic and if is a ddos it is pretty feeble. It was
> however a fairly effective dos against my snort system -- two sensors
> saw this traffic so that's a total of over 40 million events in the
> database. :(
>
> I have now disabled all those rules and am (slowly) deleting all the
> records from the data base. Can I suggest that these rules be disabled
> by default with a comment saying why.
>
> Anyone got any idea why this traffic was sent (I doubt if they were
> really trying to attack my snort system). They have sent enough
> traffic to random addresses to map our network 200 times over.
>
> Russell.
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
