[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 >  udp 376 [ttl 1]
> 19:41:32.192344 >  udp 376 [ttl 
> 1]
> Mmmmm, I don't know what machine is, but I wouldn't be 
> surprised if it sits in the same server room as my box... Does this 
> tell you anything.

Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers
listen there), consists of single packets that are 376 byte in size and causes
much traffic.
Seems like the machine at is infected, so not much you can do
to stop this packet flood. May try to contact the server admin and convince
him to reboot and patch the MS-SQL server. Or ask your provider to block
incoming packets on this port for your server.

Some sites with more information about this worm:

Michel Messerschmidt           lists@michel-messerschmidt.de
antiVirusTestCenter, Computer Science, University of Hamburg

Reply to: