3 Jul
2017
3 Jul
'17
12:02 a.m.
For several hours now, amprgw has been seeing a storm of traceroutes from
hundreds of different source addresses. It looks like a botnet has been
activated to probe net 44 using short-TTL packets like traceroute.
In reaction to this, I've temporarily set the gateway to discard any
packet with a TTL of less than 30. (The TTL is decremented by one when
the packet is forwarded; normally, of course, only packets with a TTL
value of zero are discarded.)
This will not affect normal traffic, most of which has TTL values in
the 40 to 64 range, but will throw away the short TTL packets used
by traceroute.
If you have problems with some site suddenly timing out instead of
its normal reachability, let me know and I'll re-enable the normal TTL
processing. In that case, we'll have to find some other way to cope
with the storm of traceroutes.
- Brian
3 Jul
3 Jul
12:55 a.m.
May you add the line of how the log see that kind of probe ?
What about the statistic ?
Is this storm is what that seen now as an increment in the noise from 15mb/s to about
35MB/s?
Regards
Ronen 4Z4ZQ
________________________________
For several hours now, amprgw has been seeing a storm of traceroutes from
hundreds of different source addresses. It looks like a botnet has been
activated to probe net 44 using short-TTL packets like traceroute.
2698
days inactive
2698
days old
1 comments
2 participants
participants (2)
-
Brian Kantor -
R P