[NeMo-DDoS-List] Alerts

Hank Nussbacher hank at mail.iucc.ac.il
Thu Sep 21 08:46:04 IDT 2023


As you have seen, NeMO flagged a number of incidents during the night since it saw:



Warning: Observed small packet sizes with

  2M Packets/s, 3G bits Traffic/s


As well as:

Top-10 Possible Targets by Bytes:
        Src IP   Src Port            Dst IP   Dst Port   Sampled Count
--------------------------------------------------------------------
                      443      132.65.60.73                24936775200
                               132.65.60.73                24936775200
                               132.76.61.53                15473557200
                       80      132.76.61.53                15185402100
  67.43.15.203         80                                  15142070400
  67.43.15.203                                             15142070400
                            192.114.101.113                10027591500
                     1094   192.114.101.113                 8373825900
  67.43.15.203                                   49367      7743812400
                               132.76.61.53      49367      7743812400

Hostname: cabackup.cs.huji.ac.il
IP Address: 132.65.60.73

And then some Weizmann IP which doesn’t resolve and then:

Hostname: tech-gftp.hep.technion.ac.il
IP Address: 192.114.101.113

I have asked the NeMo people if they can whitelist IP ranges so no alerts will ever be created – like for all the ATLAS/LHC IP ranges which generate lots of traffic and can be seen as a DDoS when it is not.

These alerts are there just to give you an idea that a DDoS event might be taking place and to which IP address it is targeted.  NeMo doesn’t have any ability yet to auto-mitigate.  If the event is a true DDoS, you need to contact the IUCC NOC so we open a trouble ticket with Geant so they manually mitigate the DDoS event.

Questions welcome.

Shana tova,
Hank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20230921/aca7eb72/attachment-0001.htm>


More information about the Nemo-ddos-list mailing list