Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 22.214.171.124.2090 > 126.96.36.199.1434: udp 376 [ttl 1]
> 19:41:32.192344 188.8.131.52.2090 > 184.108.40.206.1434: udp 376 [ttl
> Mmmmm, I don't know what machine 220.127.116.11 is, but I wouldn't be
> surprised if it sits in the same server room as my box... Does this
> tell you anything.
Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers
listen there), consists of single packets that are 376 byte in size and causes
Seems like the machine at 18.104.22.168 is infected, so not much you can do
to stop this packet flood. May try to contact the server admin and convince
him to reboot and patch the MS-SQL server. Or ask your provider to block
incoming packets on this port for your server.
Some sites with more information about this worm:
Michel Messerschmidt firstname.lastname@example.org
antiVirusTestCenter, Computer Science, University of Hamburg