Just wondering if anyone else has seen this happen recently:
https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html
We maxed out at about 10,000 flows/sec. I'm currently going back through
our argus logs and collecting a list of source hosts (all appear to be
spoofed of course). In a 15 minute period we had 4.2 million unique hosts
pounding one of our servers.
The only reason I post this is that on some other off-campus machines I
maintain, I've seen an increase in ftp connections. So, I was wondering
if this is some new worm, ddos, or something of that nature. If anyone
would care to comment, I'm all ears.
Brian
Oh, FYI..
This happened between 6 and 7 am EST this morning (5/21/2002). Normal
traffic for us at this time is <50Mbps, but at this time it peaked out at
about 130Mbps.
Also, and someone referred me to this:
http://www.dshield.org/port_report.php?port=21
Brian
Hi, Brian.
] https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html
There is a huge increase in FTP scanning as well as the building of
warez botnets. The warez scanning is generally for anonymous FTP
servers with plentiful bandwidth, copious disk space, and generous write
permissions. Yes, the folks behind these activities do test for all
three. The warez botnet scanning is generally for Windows hosts
vulnerable to a cornucopia of sploits. These machines are then infected
with a bot that will join a warez botnet. These warez bots will then
respond to the commands issued in the channel. Some of them even issue
helpful messages when you join the warez channel (real log snippet):
To request a file type: "/msg <A> send <FILE>"
Sadly, some malware is more user friendly than commercial software. 
The tools to locate the anonymous FTP servers are automated, though they
are not worms. The tools to spread the warez bots can have worm-like
behaviours.
Now about your flows... It is very possible that you have a server that
has been "tagged." This server may be part of a distributed wareznet
serving up movies, MP3s, malware, pr0n, and other nasties. If the
server(s) now part of the warez network have popular things on them, you
will take quite a beating on bandwidth.
By the way, several of the warez bots are also flooders, e.g. can be
used to packet victims.
Thanks,
Rob.
Rob Thomas wrote:
There is a huge increase in FTP scanning as well as the building of
warez botnets. The warez scanning is generally for anonymous FTP
servers with plentiful bandwidth, copious disk space, and generous
write permissions. ...
One things I know of that helps here is to make sure you never have a
single directory that is both readable and writeable to an anonymous
user.
In general, restrict writing to users with logins and passwords. If you
must have an anonymous-write directory (like an incoming folder), make
sure that that directory is not also readable by anonymous users.
This probably won't eliminate all the abuse, but it should make it
impractical enough that the warez servers will probably start looking
elsewhere.
-- David
In addition to David's suggestion, you would also want to ensure that newly create files are umasked unreadable as well. Should the directory be masked unreadable but still executable (which it must be to actually enter it) users could still externally link to the files, even though one could not view them in a directory listing.
I saw a similar type of attack at the same time to one of my
customers.. not got all the details in yet, odd tho. If anyone knows more
will you CC me in case its related,
Cheers
STeve