From hank at mail.iucc.ac.il Sat Aug 2 13:55:49 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 10:55:49 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] Analysis for Alert #379815 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] In-Reply-To: <20250802105537.B25162000D9@primary.nemo.geant.org> References: <20250802105537.B25162000D9@primary.nemo.geant.org> Message-ID: ________________________________________ From: nemo-ddos at host.geant.org Sent: Saturday, August 2, 2025 1:55:37 PM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] Analysis for Alert #379815 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] Please find the analysis details for the Alert ID: 379815 Top-10 Src IPs by Packets: Packets Est. Rate % of Total Src IP ---------------------------------------------------- 25983300 86611 42.9% 89.248.165.99 13618800 45396 22.5% 89.248.163.10 1360200 4534 2.2% 141.148.59.116 985500 3285 1.6% 193.142.146.168 634200 2114 1.0% 104.156.155.7 487200 1624 0.8% 18.223.104.85 481500 1605 0.8% 3.136.208.236 467700 1559 0.8% 185.91.127.107 413400 1378 0.7% 52.14.122.207 323100 1077 0.5% 176.65.148.215 Top-10 Dst IPs by Packets: Packets Est. Rate % of Total Dst IP -------------------------------------------------- 55500 185 0.1% 128.139.53.201 54000 180 0.1% 128.139.53.170 52800 176 0.1% 128.139.53.227 52200 174 0.1% 128.139.53.78 49500 165 0.1% 128.139.53.138 46800 156 0.1% 128.139.53.248 46200 154 0.1% 128.139.53.222 45000 150 0.1% 128.139.53.5 41400 138 0.1% 128.139.53.76 39600 132 0.1% 132.65.240.60 Top-10 Possible Targets by Bytes: Src IP Src Port Dst IP Dst Port Sampled Count --------------------------------------------------------------------- 89.248.165.99 51642 1039332000 89.248.165.99 1039332000 89.248.163.10 50929 544752000 89.248.163.10 544752000 141.148.59.116 70730400 193.142.146.168 38364000 193.142.146.168 82 32292000 132.65.240.60 26604000 64.31.42.110 9000 26568000 64.31.42.110 51296 26568000 Metric Info: 241k SYN Packets/s Alert Type: time_window Alert Description: High SYN packet rate Start Time: 2025-08-02 10:50:29 End Time: ongoing First Event Seen: 2025-08-02 10:48:00 Last Event Seen: 2025-08-02 10:54:00 Further Details: https://primary.nemo.geant.org/alerts/details/379815/ From hank at mail.iucc.ac.il Sat Aug 2 13:55:52 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 10:55:52 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #379817 UPD CRIT: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250802105544.78A5D2000D9@primary.nemo.geant.org> References: <20250802105544.78A5D2000D9@primary.nemo.geant.org> Message-ID: <0d10005edc6b4e06b05014a5b5fca6e0@PAWP194MB2078.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Saturday, August 2, 2025 1:55:44 PM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #379817 UPD CRIT: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] Aggregated 2 alerts. Upgraded to severity Critical. Alert ID: 379817 Status: Open Severity: Critical Start Time: 2025-08-02 10:50:29 End Time: ongoing Start Time (Europe/Berlin): 2025-08-02 12:50:29 End Time (Europe/Berlin): ongoing Duration: 6 min First Event Seen: 2025-08-02 10:48:00 Last Event Seen: 2025-08-02 10:54:00 Event Count: 14 Trigger: Multiple Alerts (ID 15) Alert Description: Aggregated 2 alerts. Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 14 Child Alerts: Alert ID Description ---------------------------------------------- 379816 Abnormal SYN:ACK packet ratio 379815 High SYN packet rate Further Details: https://primary.nemo.geant.org/alerts/details/379817/ All times expressed in UTC. From hank at mail.iucc.ac.il Sat Aug 2 14:06:05 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 11:06:05 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #379817 END CRIT: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250802110548.6C82C2000D9@primary.nemo.geant.org> References: <20250802110548.6C82C2000D9@primary.nemo.geant.org> Message-ID: <3253535628164e82a4240c9fc079df2a@PAWP194MB2078.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Saturday, August 2, 2025 2:05:48 PM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #379817 END CRIT: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] Observed <= 0 alerts, closing.Alert closed. Alert ID: 379817 Status: Closed Severity: Critical Start Time: 2025-08-02 10:50:29 End Time: 2025-08-02 11:05:35 Start Time (Europe/Berlin): 2025-08-02 12:50:29 End Time (Europe/Berlin): 2025-08-02 13:05:35 Duration: 16 min First Event Seen: 2025-08-02 10:48:00 Last Event Seen: 2025-08-02 10:55:00 Event Count: 16 Trigger: Multiple Alerts (ID 15) Alert Description: Aggregated 2 alerts. Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 16 Child Alerts: Alert ID Description ---------------------------------------------- 379816 Abnormal SYN:ACK packet ratio 379815 High SYN packet rate Further Details: https://primary.nemo.geant.org/alerts/details/379817/ All times expressed in UTC. From hank at mail.iucc.ac.il Sun Aug 3 01:46:56 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 22:46:56 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #379926 NEW WARN: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250802224646.5645920041D@primary.nemo.geant.org> References: <20250802224646.5645920041D@primary.nemo.geant.org> Message-ID: <0b28d2382f624f959e67e5f387351202@DU0P194MB2075.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Sunday, August 3, 2025 1:46:46 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #379926 NEW WARN: IUCC (AS378) - "2 alerts" [IUCC] [Customer] [Email_Analysis] Aggregated 2 alerts. Opened with severity Warning. Alert ID: 379926 Status: Open Severity: Warning Start Time: 2025-08-02 22:46:32 End Time: ongoing Start Time (Europe/Berlin): 2025-08-03 00:46:32 End Time (Europe/Berlin): ongoing Duration: 1 min First Event Seen: 2025-08-02 22:44:00 Last Event Seen: 2025-08-02 22:45:00 Event Count: 4 Trigger: Multiple Alerts (ID 15) Alert Description: Aggregated 2 alerts. Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 4 Child Alerts: Alert ID Description ------------------------------------- 379920 High ACK packet rate 379923 High packet rate Further Details: https://primary.nemo.geant.org/alerts/details/379926/ All times expressed in UTC. From hank at mail.iucc.ac.il Sun Aug 3 01:46:56 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 22:46:56 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] Analysis for Alert #379923 WARN: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] In-Reply-To: <20250802224647.C01A720041D@primary.nemo.geant.org> References: <20250802224647.C01A720041D@primary.nemo.geant.org> Message-ID: <25d97624093549e19d9c4d75bbf66cda@DU0P194MB2075.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Sunday, August 3, 2025 1:46:47 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] Analysis for Alert #379923 WARN: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] Please find the analysis details for the Alert ID: 379923 Top-10 Src IPs by Packets: Packets Est. Rate % of Total Src IP --------------------------------------------------------- 98586600 328622 45.9% 2001:bf8:900:d:2::71 4764900 15883 2.2% 132.76.61.54 4725300 15751 2.2% 142.250.179.202 4621200 15404 2.2% 82.77.160.177 3901500 13005 1.8% 132.73.124.48 3079800 10266 1.4% 52.107.224.129 2035800 6786 0.9% 157.240.252.63 1905600 6352 0.9% 216.58.209.42 1835100 6117 0.9% 157.240.251.63 1701300 5671 0.8% 157.240.253.63 Top-10 Dst IPs by Packets: Packets Est. Rate % of Total Dst IP ------------------------------------------------------------- 9822900 32743 4.6% 2001:760:422a:137::201:70 7679400 25598 3.6% 2001:760:422a:137::201:68 7512600 25042 3.5% 2001:760:422a:137::201:82 7359000 24530 3.4% 128.139.35.5 7124700 23749 3.3% 128.139.225.244 6612000 22040 3.1% 2001:760:422a:137::201:23 6298800 20996 2.9% 2001:760:422a:137::201:60 5640600 18802 2.6% 2001:760:422a:137::201:21 4984200 16614 2.3% 132.74.74.134 4827300 16091 2.2% 2001:760:422a:137::201:80 Top-10 Possible Targets by Bytes: Src IP Src Port Dst IP Dst Port Sampled Count -------------------------------------------------------------------------------------- 2001:bf8:900:d:2::71 8443 147762237000 2001:bf8:900:d:2::71 147762237000 8443 2001:760:422a:137::201:70 14723551800 2001:760:422a:137::201:70 14723551800 8443 2001:760:422a:137::201:68 11516417400 2001:760:422a:137::201:68 11516417400 8443 2001:760:422a:137::201:82 11260583400 2001:760:422a:137::201:82 11260583400 8443 2001:760:422a:137::201:23 9916560000 2001:760:422a:137::201:23 9916560000 Metric Info: 1M Packets/s Alert Type: time_window Alert Description: High packet rate Start Time: 2025-08-02 22:46:33 End Time: ongoing First Event Seen: 2025-08-02 22:44:00 Last Event Seen: 2025-08-02 22:45:00 Further Details: https://primary.nemo.geant.org/alerts/details/379923/ From hank at mail.iucc.ac.il Sun Aug 3 01:51:57 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 22:51:57 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #379926 UPD CRIT: IUCC (AS378) - "3 alerts" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250802225146.E4FCF20041D@primary.nemo.geant.org> References: <20250802225146.E4FCF20041D@primary.nemo.geant.org> Message-ID: ________________________________________ From: nemo-ddos at host.geant.org Sent: Sunday, August 3, 2025 1:51:46 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #379926 UPD CRIT: IUCC (AS378) - "3 alerts" [IUCC] [Customer] [Email_Analysis] Aggregated 3 alerts. Upgraded to severity Critical. Alert ID: 379926 Status: Open Severity: Critical Start Time: 2025-08-02 22:46:32 End Time: ongoing Start Time (Europe/Berlin): 2025-08-03 00:46:32 End Time (Europe/Berlin): ongoing Duration: 6 min First Event Seen: 2025-08-02 22:44:00 Last Event Seen: 2025-08-02 22:50:00 Event Count: 18 Trigger: Multiple Alerts (ID 15) Alert Description: Aggregated 3 alerts. Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 18 Child Alerts: Alert ID Description ------------------------------------- 379920 High ACK packet rate 379923 High packet rate 379924 High TCP packet rate Further Details: https://primary.nemo.geant.org/alerts/details/379926/ All times expressed in UTC. From hank at mail.iucc.ac.il Sun Aug 3 01:52:11 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 22:52:11 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] Analysis for Alert #379923 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] In-Reply-To: <20250802225203.537C120041D@primary.nemo.geant.org> References: <20250802225203.537C120041D@primary.nemo.geant.org> Message-ID: <14f7524ec9c3454e823f331153a58e3e@DU0P194MB2075.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Sunday, August 3, 2025 1:52:03 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] Analysis for Alert #379923 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] Please find the analysis details for the Alert ID: 379923 Top-10 Src IPs by Packets: Packets Est. Rate % of Total Src IP ---------------------------------------------------------- 150556200 501854 51.9% 2001:bf8:900:d:2::71 5997900 19993 2.1% 132.76.61.54 5450100 18167 1.9% 82.77.160.177 4725300 15751 1.6% 142.250.179.202 4467000 14890 1.5% 132.73.124.48 3478500 11595 1.2% 52.107.224.129 2430300 8101 0.8% 157.240.252.63 2190900 7303 0.8% 157.240.251.63 2055300 6851 0.7% 216.58.209.42 2017200 6724 0.7% 142.251.209.10 Top-10 Dst IPs by Packets: Packets Est. Rate % of Total Dst IP -------------------------------------------------------------- 11216400 37388 3.9% 2001:760:422a:137::201:82 10835100 36117 3.7% 2001:760:422a:137::201:70 10614000 35380 3.7% 2001:760:422a:137::201:60 10418100 34727 3.6% 2001:760:422a:137::201:68 8895000 29650 3.1% 2001:760:422a:137::201:23 8687700 28959 3.0% 128.139.35.5 8635200 28784 3.0% 128.139.225.244 7991100 26637 2.8% 2001:760:422a:137::201:21 7065300 23551 2.4% 2001:760:422a:137::201:72 6756000 22520 2.3% 2001:760:422a:137::201:61 Top-10 Possible Targets by Bytes: Src IP Src Port Dst IP Dst Port Sampled Count -------------------------------------------------------------------------------------- 2001:bf8:900:d:2::71 8443 225683259000 2001:bf8:900:d:2::71 225683259000 8443 2001:760:422a:137::201:82 16815404400 2001:760:422a:137::201:82 16815404400 8443 2001:760:422a:137::201:60 15914544600 2001:760:422a:137::201:60 15914544600 8443 2001:760:422a:137::201:68 15623002200 2001:760:422a:137::201:68 15623002200 8443 2001:760:422a:137::201:70 14723551800 2001:760:422a:137::201:70 14723551800 Metric Info: 1M Packets/s Alert Type: time_window Alert Description: High packet rate Start Time: 2025-08-02 22:46:33 End Time: ongoing First Event Seen: 2025-08-02 22:44:00 Last Event Seen: 2025-08-02 22:50:00 Further Details: https://primary.nemo.geant.org/alerts/details/379923/ From hank at mail.iucc.ac.il Sun Aug 3 02:01:57 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Sat, 2 Aug 2025 23:01:57 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #379926 END CRIT: IUCC (AS378) - "3 alerts" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250802230147.F076B2000D9@primary.nemo.geant.org> References: <20250802230147.F076B2000D9@primary.nemo.geant.org> Message-ID: ________________________________________ From: nemo-ddos at host.geant.org Sent: Sunday, August 3, 2025 2:01:47 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #379926 END CRIT: IUCC (AS378) - "3 alerts" [IUCC] [Customer] [Email_Analysis] Observed <= 0 alerts, closing.Alert closed. Alert ID: 379926 Status: Closed Severity: Critical Start Time: 2025-08-02 22:46:32 End Time: 2025-08-02 23:01:37 Start Time (Europe/Berlin): 2025-08-03 00:46:32 End Time (Europe/Berlin): 2025-08-03 01:01:37 Duration: 16 min First Event Seen: 2025-08-02 22:44:00 Last Event Seen: 2025-08-02 22:51:00 Event Count: 21 Trigger: Multiple Alerts (ID 15) Alert Description: Aggregated 3 alerts. Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 21 Child Alerts: Alert ID Description ------------------------------------- 379920 High ACK packet rate 379923 High packet rate 379924 High TCP packet rate Further Details: https://primary.nemo.geant.org/alerts/details/379926/ All times expressed in UTC.