[NeMo-DDoS-List] [Geant NeMo] Analysis for Alert #192931 WARN: IUCC (AS378) - [IUCC] [Customer] [Email_Analysis]

Hank Nussbacher hank at mail.iucc.ac.il
Wed Oct 4 17:23:11 IDT 2023


This will keep happening since NeMo doesn't have the ability to whitelist /24s that generate lots of sudden data - such as the CERN ATLAS group.
192.114.101.0/24 as a destination is one such segment located at Technion which receives data from ATLAS.

Regards,
Hank

-----Original Message-----
From: nemo-ddos at geant.org <nemo-ddos at geant.org>
Sent: Wednesday, 4 October 2023 14:16
To: soc at geant.org
Subject: [Geant NeMo] Analysis for Alert #192931 WARN: IUCC (AS378) - [IUCC] [Customer] [Email_Analysis]

Please find the analysis details for the Alert ID: 192931

Top-10 Src IPs by Packets:
   Packets   Est. Rate   % of Total            Src IP
----------------------------------------------------
  70102500      233675        17.1%   142.250.180.187
  66857100      222857        16.3%    216.58.204.155
  61320000      204400        15.0%    142.251.209.59
  13896000       46320         3.4%     216.58.209.59
   9131700       30439         2.2%    132.70.228.201
   7299300       24331         1.8%     45.79.133.162
   4574700       15249         1.1%    142.251.209.27
   3742800       12476         0.9%   142.250.179.138
   3576600       11922         0.9%    152.199.21.175
   3373500       11245         0.8%       209.197.3.8

Top-10 Dst IPs by Packets:
   Packets   Est. Rate   % of Total            Dst IP
----------------------------------------------------
  24898200       82994         6.1%   192.114.101.187
  24539400       81798         6.0%      132.71.132.1
  19571100       65237         4.8%   192.114.101.209
  10822200       36074         2.6%   192.114.101.100
  10432500       34775         2.6%    192.114.101.94
  10294500       34315         2.5%    192.114.101.96
  10211400       34038         2.5%    192.114.101.77
  10202700       34009         2.5%   192.114.101.163
  10131600       33772         2.5%    192.114.101.90
   9952200       33174         2.4%    192.114.101.87

Top-10 Possible Targets by Bytes:
           Src IP   Src Port            Dst IP   Dst Port   Sampled Count
-----------------------------------------------------------------------
  142.250.180.187        443                                 101720552700
  142.250.180.187                                            101720552700
   216.58.204.155        443                                  97013227200
   216.58.204.155                                             97013227200
   142.251.209.59        443                                  88972659900
   142.251.209.59                                             88972659900
                         443   192.114.101.187                36123860100
                               192.114.101.187                36123860100
                         443      132.71.132.1                36083285700
                                  132.71.132.1                36083285700

Further Details:
https://primary.nemo.geant.org/alerts/details/192931/


More information about the Nemo-ddos-list mailing list