[NeMo-DDoS-List] [Geant NeMo] Analysis for Alert #339617 WARN: IUCC (AS378) - [Email_Analysis] [Customer] [IUCC]

Hank Nussbacher hank at mail.iucc.ac.il
Mon Sep 30 19:15:56 IDT 2024


cv-ma4.haifa.ac.il appears to be  sending data to 132.76.212.49.  Is that normal?

-----Original Message-----
From: nemo-ddos at geant.org <nemo-ddos at geant.org>
Sent: Monday, 30 September 2024 18:28
To: soc at geant.org
Subject: [Geant NeMo] Analysis for Alert #339617 WARN: IUCC (AS378) - [Email_Analysis] [Customer] [IUCC]

Please find the analysis details for the Alert ID: 339617

Top-10 Src IPs by Packets:
    Packets   Est. Rate   % of Total            Src IP
-----------------------------------------------------
  145682100      485607        33.4%        132.74.3.4
   17534700       58449         4.0%   142.250.180.187
   17533200       58444         4.0%    216.58.204.155
   15565800       51886         3.6%   142.250.180.155
   15239400       50798         3.5%     216.58.205.59
   13890900       46303         3.2%    142.251.209.59
   13874700       46249         3.2%    142.251.209.27
   12559800       41866         2.9%    216.58.204.251
    8265900       27553         1.9%     13.107.138.10
    6930900       23103         1.6%     54.230.112.82

Top-10 Dst IPs by Packets:
    Packets   Est. Rate   % of Total          Dst IP
---------------------------------------------------
  102155100      340517        23.4%   132.76.212.49
   34001100      113337         7.8%        3.5.57.7
   28695300       95651         6.6%      132.74.3.4
   26772000       89240         6.1%       3.5.56.12
   19433400       64778         4.5%       3.5.58.15
   10586400       35288         2.4%     16.12.14.10
    9566400       31888         2.2%    132.68.38.54
    7600800       25336         1.7%        3.5.56.4
    7020000       23400         1.6%    192.114.5.10
    6476100       21587         1.5%     16.12.12.10

Top-10 Possible Targets by Bytes:
      Src IP   Src Port          Dst IP   Dst Port   Sampled Count
----------------------------------------------------------------
  132.74.3.4                                   443    214798128900
  132.74.3.4                                          214798128900
                    443   132.76.212.49               148087329900
                          132.76.212.49               148087329900
                               3.5.57.7        443     50411389800
                               3.5.57.7                50411389800
                              3.5.56.12        443     39706581300
                              3.5.56.12                39706581300
                              3.5.58.15        443     28806129000
                              3.5.58.15                28806129000

Metric Info:
1M ACK Packets/s

Alert Type:
time_window

Alert Description:
High ACK packet rate

Start Time: 2024-09-30 15:18:13
End Time: ongoing

First Event Seen: 2024-09-30 15:16:00
Last Event Seen: 2024-09-30 15:25:00

Further Details:
https://primary.nemo.geant.org/alerts/details/339617/


More information about the Nemo-ddos-list mailing list