Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now.
-hc
Joel Perez wrote:
Of the customers I've had to shut off for being DOS targets, all are
windows boxen. Perhaps there is a new windows exploit?
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
Really bad. Quick capture of filter drops:
PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP
space)/1434 dropped
Really, really bad - most traffic I see is from this virus/dos:
Extended IP access list 152
deny udp any any eq 1434 (5639464 matches) - 94%
permit ip any any (311888 matches) - 6%
Wow!!!
What I'm seeing from on my personal network connections is a lot of
traffic to udp port 1434 start at 05:30:08 UTC. The sources appear very
widespread, but I'm also seeing different affects on networks. Some
backbones are being hit extremely hard, while others are just moderately
impacted. I haven't figured out if it is a customer base difference, or
if the worm is targetting. I haven't been willing to sacrafice one of my
personal computers to the cause, so I don't know what's in the payload.
According to Matrix Systems, there was about a 10% drop over the next
30 minutes. Keynote's data shows several backbones impacted. BGP and DNS
appear to be holding up more or less, but g.root-servers.net has left the
building (may be self-inflected withdrawal). Cable & Wireless's
sla.cw.net show no impact on their network. UUNET's network status web
site says Normal. Earthlink's network status web site shows various
maintenance activity. SBC's network status web site says dial and dsl is
Impaired. I can't reach www.sprint.net. AT&T's network status is
unavailable while service enhancement is being performed.
Same here. One particular GigE port with a bunch of M$ servers on it
pegged at precisely 998 mbps. Lovely.
What I'm seeing from on my personal network connections is a lot of
traffic to udp port 1434 start at 05:30:08 UTC.
I did some graphing of reports we got to DShield/ISC up to 9am EST.
http://isc.sans.org/port1434start.gif
The part that amazes me is the speed. It saturated within 1 minute!
Does anybody else see the oscillations in traffic? I remember seeing
something similar in netflow data for slapper (2002 udp). Or is this
just an artifact of our particular dataset?
So far, we got about 80,000 sources (distinct IPs sending port 1434
packets)
:
:
: > What I'm seeing from on my personal network connections is a lot of
: > traffic to udp port 1434 start at 05:30:08 UTC.
:
: I did some graphing of reports we got to DShield/ISC up to 9am EST.
: http://isc.sans.org/port1434start.gif
:
: The part that amazes me is the speed. It saturated within 1 minute!
Maybe they read "How to Own the Internet in Your Spare Time?" 
scott
: Does anybody else see the oscillations in traffic? I remember seeing
: something similar in netflow data for slapper (2002 udp). Or is this
: just an artifact of our particular dataset?
:
: So far, we got about 80,000 sources (distinct IPs sending port 1434
: packets)
:
:
:
: --
: --------------------------------------------------------------------
: jullrich@euclidian.com Collaborative Intrusion Detection
: join http://www.dshield.org
: