From hank at mail.iucc.ac.il Tue Jul 1 11:29:42 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Tue, 1 Jul 2025 08:29:42 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] Analysis for Alert #376817 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] In-Reply-To: <20250701082935.2E8712000B4@primary.nemo.geant.org> References: <20250701082935.2E8712000B4@primary.nemo.geant.org> Message-ID: <1d3794b2471945af900003e9b3d2214e@PAWP194MB2078.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Tuesday, July 1, 2025 11:29:35 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] Analysis for Alert #376817 CRIT: IUCC (AS378) - [Customer] [Email_Analysis] [IUCC] Please find the analysis details for the Alert ID: 376817 Top-10 Src IPs by Packets: Packets Est. Rate % of Total Src IP --------------------------------------------------- 11867400 39558 22.3% 34.28.207.190 8315400 27718 15.6% 34.55.102.107 6015900 20053 11.3% 34.66.88.210 3121800 10406 5.9% 35.226.27.221 1028100 3427 1.9% 93.123.72.134 590100 1967 1.1% 89.42.231.140 557400 1858 1.0% 149.86.227.49 531000 1770 1.0% 193.34.212.110 500400 1668 0.9% 157.240.251.55 431400 1438 0.8% 89.248.163.67 Top-10 Dst IPs by Packets: Packets Est. Rate % of Total Dst IP --------------------------------------------------- 500400 1668 0.9% 132.74.171.161 111900 373 0.2% 192.114.105.254 100500 335 0.2% 52.222.144.118 70800 236 0.1% 192.114.91.244 61200 204 0.1% 159.124.2.172 58500 195 0.1% 192.114.91.249 56100 187 0.1% 132.66.230.14 55500 185 0.1% 132.76.61.52 53700 179 0.1% 192.114.5.10 52500 175 0.1% 128.139.225.245 Top-10 Possible Targets by Bytes: Src IP Src Port Dst IP Dst Port Sampled Count --------------------------------------------------------------------- 157.240.251.55 443 715598100 157.240.251.55 34006 715598100 157.240.251.55 715598100 443 132.74.171.161 715598100 132.74.171.161 34006 715598100 132.74.171.161 715598100 34.28.207.190 474696000 34.55.102.107 332616000 34.66.88.210 240636000 34.28.207.190 58153 191208000 Metric Info: 228k SYN Packets/s Alert Type: time_window Alert Description: High SYN packet rate Start Time: 2025-07-01 08:26:24 End Time: ongoing First Event Seen: 2025-07-01 08:24:00 Last Event Seen: 2025-07-01 08:27:00 Further Details: https://primary.nemo.geant.org/alerts/details/376817/ From hank at mail.iucc.ac.il Tue Jul 1 11:29:41 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Tue, 1 Jul 2025 08:29:41 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #376817 UPD CRIT: IUCC (AS378) - "High SYN packet rate: 228k SYN Packets/s" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250701082933.3F8762000B4@primary.nemo.geant.org> References: <20250701082933.3F8762000B4@primary.nemo.geant.org> Message-ID: <64adf8e35c6c47d3a7a824d98baf558b@PAWP194MB2078.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Tuesday, July 1, 2025 11:29:33 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #376817 UPD CRIT: IUCC (AS378) - "High SYN packet rate: 228k SYN Packets/s" [IUCC] [Customer] [Email_Analysis] Critical: Observed high SYN packet rates of 228k SYN Packets/s on autonomoussystem IUCC (AS378). Alert ID: 376817 Status: Open Severity: Critical Start Time: 2025-07-01 08:26:24 End Time: ongoing Start Time (Europe/Berlin): 2025-07-01 10:26:24 End Time (Europe/Berlin): ongoing Duration: 3 min First Event Seen: 2025-07-01 08:24:00 Last Event Seen: 2025-07-01 08:27:00 Event Count: 4 Trigger: High SYN Packet Rate (AS) (Email_Analysis+threshold) (ID 60) Alert Description: High SYN packet rate Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 4 Further Details: https://primary.nemo.geant.org/alerts/details/376817/ All times expressed in UTC. From hank at mail.iucc.ac.il Tue Jul 1 11:39:44 2025 From: hank at mail.iucc.ac.il (Hank Nussbacher) Date: Tue, 1 Jul 2025 08:39:44 +0000 Subject: [NeMo-DDoS-List] FW: [Geant NeMo] #376817 END CRIT: IUCC (AS378) - "Normal SYN packet rate" [IUCC] [Customer] [Email_Analysis] In-Reply-To: <20250701083937.498FA2000B4@primary.nemo.geant.org> References: <20250701083937.498FA2000B4@primary.nemo.geant.org> Message-ID: <7e451388db574b6fa9b5451595345367@PAWP194MB2078.EURP194.PROD.OUTLOOK.COM> ________________________________________ From: nemo-ddos at host.geant.org Sent: Tuesday, July 1, 2025 11:39:37 AM (UTC+02:00) Jerusalem To: soc at geant.org Subject: [Geant NeMo] #376817 END CRIT: IUCC (AS378) - "Normal SYN packet rate" [IUCC] [Customer] [Email_Analysis] Alert closed: The SYN packet rate on autonomoussystem IUCC (AS378) returned to normal values. Alert ID: 376817 Status: Closed Severity: Critical Start Time: 2025-07-01 08:26:24 End Time: 2025-07-01 08:39:24 Start Time (Europe/Berlin): 2025-07-01 10:26:24 End Time (Europe/Berlin): 2025-07-01 10:39:24 Duration: 13 min First Event Seen: 2025-07-01 08:24:00 Last Event Seen: 2025-07-01 08:28:00 Event Count: 5 Trigger: High SYN Packet Rate (AS) (Email_Analysis+threshold) (ID 60) Alert Description: High SYN packet rate Affected Objects: Type Name Event Count --------------------------------------------------- Autonomoussystem IUCC (AS378) 5 Further Details: https://primary.nemo.geant.org/alerts/details/376817/ All times expressed in UTC.