[NeMo-DDoS-List] Alerts
Hank Nussbacher
hank at mail.iucc.ac.il
Thu Sep 21 08:46:04 IDT 2023
As you have seen, NeMO flagged a number of incidents during the night since it saw:
Warning: Observed small packet sizes with
2M Packets/s, 3G bits Traffic/s
As well as:
Top-10 Possible Targets by Bytes:
Src IP Src Port Dst IP Dst Port Sampled Count
--------------------------------------------------------------------
443 132.65.60.73 24936775200
132.65.60.73 24936775200
132.76.61.53 15473557200
80 132.76.61.53 15185402100
67.43.15.203 80 15142070400
67.43.15.203 15142070400
192.114.101.113 10027591500
1094 192.114.101.113 8373825900
67.43.15.203 49367 7743812400
132.76.61.53 49367 7743812400
Hostname: cabackup.cs.huji.ac.il
IP Address: 132.65.60.73
And then some Weizmann IP which doesn’t resolve and then:
Hostname: tech-gftp.hep.technion.ac.il
IP Address: 192.114.101.113
I have asked the NeMo people if they can whitelist IP ranges so no alerts will ever be created – like for all the ATLAS/LHC IP ranges which generate lots of traffic and can be seen as a DDoS when it is not.
These alerts are there just to give you an idea that a DDoS event might be taking place and to which IP address it is targeted. NeMo doesn’t have any ability yet to auto-mitigate. If the event is a true DDoS, you need to contact the IUCC NOC so we open a trouble ticket with Geant so they manually mitigate the DDoS event.
Questions welcome.
Shana tova,
Hank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20230921/aca7eb72/attachment-0001.htm>
More information about the Nemo-ddos-list
mailing list