[AG-TECH] AG DoS?

Michael Grobe grobe at raven.cc.ku.edu
Thu Jan 24 11:17:24 CST 2002 

bob:
> 
> do you have any information on source addresses, or if the traffic was 
> valid media data?

our networking group reported:

Hosts connecting to 224.2.177.155
January 23rd, 2001 13:56 - 17:21

Source Addresses | Hostname
===================================================
128.111.55.103   | 
128.135.152.207  | ag-display.asci.uchicago.edu
128.135.152.209  | ag-video.asci.uchicago.edu
128.3.10.50      | agnode2.lbl.gov
129.237.25.5     | microdrm.cc.ku.edu
129.237.25.85    | microvrm.cc.ku.edu
130.37.42.36     | carolina.nat.vu.nl
130.37.42.38     | bucho.nat.vu.nl
131.193.77.101   | simpson.evl.uic.edu
131.193.77.102   | holtzer.evl.uic.edu
131.193.77.111   |
137.48.142.42    |
137.48.142.54    |
140.221.34.1     | ws-video.mcs.anl.gov
140.221.34.2     | ws-display.mcs.anl.gov
140.221.8.157    | dsl-agvideo.mcs.anl.gov
140.221.8.209    | dsl-agdisplay.mcs.anl.gov
142.55.1.201     | oa-ag-display.sheridanc.on.ca
142.55.1.204     | oa-ag-audio.sheridanc.on.ca
144.167.32.101   | display.ag.ualr.edu
150.131.15.190   | AGNDisplay.cs.umt.edu
150.131.15.191   | AGNVideoCapture.cs.umt.edu
150.29.224.11    | 
150.29.224.12    |
192.12.188.22    | agdisplay.bu.edu
192.231.212.52   | ag2.vislab.usyd.edu.au
192.88.194.131   |
192.88.194.133   |
198.107.147.38   |
198.49.215.221   | chlagdisplay.ssc.usm.edu
198.49.215.223   | chlagvideo.ssc.usm.edu
207.75.164.86    | i2-agdisplay.internet2.edu
207.75.164.87    | i2-agvideo.internet2.edu

:michael

> 
> At 06:55 PM 1/23/2002 -0600, Michael Grobe <grobe at raven.cc.ku.edu> wrote:
> >to follow up on jeff's note....our network guys have now characterized
> >the high-traffic event experienced on jan 23, 2002 as:
> >
> >      "...a large burst of traffic seemed to occur every half hour
> >      from the times we were monitoring from 2:00 - 5:00 (CST)."
> >
> >and they have linked the event to a number of remote AG systems which
> >were probably in the Lobby....and, possibly, to some non AG systems.
> >investigation continues.
> >
> >:michael grobe
> >university of kansas
> >
> > > Did anyone else happen to notice what would like a huge DoS atack
> > > between about 4:30 and 5:00 PM U.S. CST today (Jan. 23)?  Our campus was
> > > suffering from huge problems with internet connectivity and one of our
> > > network folks saw something in a router that made him think it might
> > > have something to do with AG as the address was one of the multicast
> > > addresses for the Lobby.  When we shut down our AG node(s) the problem
> > > suddenly disappeared.  Now we'd like to try and find out if it was pure
> > > coincidence or if was somehow AG related.  Our network guy said the
> > > traffic looked like huge (30KB?) UDP packets.  So did anyone else notice
> > > problems during this timeframe?
> > >
> > > Jeff Long
> > > University of Kansas
> > >
> 
> --=====================_94478422==_.ALT
> Content-Type: text/html; charset="us-ascii"
> 
> <html>
> <font size=3><br>
> do you have any information on source addresses, or if the traffic was
> valid media data?<br><br>
> </font>--bob<br><br>
> <br>
> <font size=3>At 06:55 PM 1/23/2002 -0600, Michael Grobe
> &lt;grobe at raven.cc.ku.edu&gt; wrote:<br>
> <blockquote type=cite class=cite cite>to follow up on jeff's note....our
> network guys have now characterized <br>
> the high-traffic event experienced on jan 23, 2002 as:<br><br>
> &nbsp;&nbsp;&nbsp;&nbsp; &quot;...a large burst of traffic seemed to
> occur every half hour <br>
> &nbsp;&nbsp;&nbsp;&nbsp; from the times we were monitoring from 2:00 -
> 5:00 (CST).&quot;<br><br>
> and they have linked the event to a number of remote AG systems which
> <br>
> were probably in the Lobby....and, possibly, to some non AG 
> systems.<br>
> investigation continues. <br><br>
> :michael grobe<br>
> university of kansas<br>
> &nbsp;<br>
> &gt; Did anyone else happen to notice what would like a huge DoS
> atack<br>
> &gt; between about 4:30 and 5:00 PM U.S. CST today (Jan. 23)?&nbsp; Our
> campus was<br>
> &gt; suffering from huge problems with internet connectivity and one of
> our<br>
> &gt; network folks saw something in a router that made him think it
> might<br>
> &gt; have something to do with AG as the address was one of the
> multicast<br>
> &gt; addresses for the Lobby.&nbsp; When we shut down our AG node(s) the
> problem<br>
> &gt; suddenly disappeared.&nbsp; Now we'd like to try and find out if it
> was pure<br>
> &gt; coincidence or if was somehow AG related.&nbsp; Our network guy said
> the<br>
> &gt; traffic looked like huge (30KB?) UDP packets.&nbsp; So did anyone
> else notice<br>
> &gt; problems during this timeframe?<br>
> &gt; <br>
> &gt; Jeff Long<br>
> &gt; University of Kansas<br>
> &gt; </font></blockquote></html>
> 
> --=====================_94478422==_.ALT--
> 
>

More information about the ag-tech mailing list