ack on that, we've seen the same source.. same time..
20500 4 240 (T 4935, slot 147) <-> tcp, 212.224.127.14 41215<-> 213.200.x.x 80 20500 9 540 (T 3325, slot 147) <-> tcp, 212.224.127.14 14591<-> 213.200.x.x 80 20500 9 540 (T 2898, slot 147) <-> tcp, 212.224.127.14 39167<-> 213.200.x.x 80 20500 9 540 (T 3028, slot 148) <-> tcp, 212.224.127.14 55544<-> 213.200.x.x 80 20500 4 240 (T 5150, slot 149) <-> tcp, 212.224.127.14 44281<-> 213.200.x.x 80
-steven
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Goetz von Escher Sent: Friday, April 11, 2008 3:56 PM To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
Hi all
We notice a heavy DoS attack of TCP SYN packets to port 80 since yesterday 22:02 CEST directed against (random?) targets using a spoofed src ip from Munich (don't call the owner, call your upstream ISP and ask for proper filtering!). Lots of webservers and companies are affected. Some statistics can be found here:
http://www.dshield.org/ipinfo.html?ip=212.224.127.14 http://stats.fp6-noah.org/top.php
With kind regards Goetz von Escher
On 11.04.2008 15:16, Erich Hohermuth wrote:
Hello
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
If someone needs a dump file, just send me a mail.
Kind Regards Erich
Am Freitag, den 11.04.2008, 14:27 +0200 schrieb Olivier Mueller:
Hello,
Still trying to reach the swisscom/bluewin support since
10 minutes
(and the robot keeps telling me "voraussichtliche warte
zeit: 4-5 minuten"
all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes
(mail/webproxy)
connected to the net via standard bluewin adsl lines.
Everything was
fine the last years until today. Remote access via ssh
(NAT on the
router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP
are still
pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers
lines to prevent
virus/worms problems? (I don't have a bluewin line
myself, so it's
hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and
call back later...
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog