Re: Large, constant incoming traffic

To: ML Debian security <debian-security@lists.debian.org>
Subject: Re: Large, constant incoming traffic
From: Gian Piero Carrubba <gp-ml@rm-rf.it>
Date: Thu, 13 May 2004 20:37:37 +0200
Message-id: <[🔎] 1084473457.7384.147.camel@localhost>
In-reply-to: <[🔎] 200405131953.33314.kjetil@kjernsmo.net>
References: <[🔎] 200405131753.21075.kjetil@kjernsmo.net> <33125.38.148.168.28.1084469577.squirrel@webmail2.nyct.net> <[🔎] 200405131953.33314.kjetil@kjernsmo.net>

Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:

[...]
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]

A switched lan, I see ;)
It can be slammer [1] (if so, I guess why the ISP tech is so busy :)
As you run snort, the eth is probably in promiscuous mode. I think this
is the reason you see ifconfig counter increasing (though the packets
aren't leading to your server). This and a non-switched lan, of course.

Ciao,
Gian Piero.

[1]
http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0

Reply to:

Follow-Ups:
- Re: Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

References:
- Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

Prev by Date: Re: Large, constant incoming traffic
Next by Date: Re: Large, constant incoming traffic
Previous by thread: Re: Large, constant incoming traffic
Next by thread: Re: Large, constant incoming traffic
Index(es):
- Date
- Thread