Could you say a little more about what this weird traffic was? Were these SIP messages? --Richard On Mon, Nov 1, 2010 at 11:01 AM, J. Oquendo <sil at infiltrated.net> wrote:
Sorry for the cross posting to two lists, but I thought everyone on both lists might benefit from the message(*cough*rambling*)
So yesterday, I had a honeypot host "open to the world." Not one "block this country" rule on the machine. Normally throughout the past months I've seen maybe 1 or 2 attacks in parallel, but yesterday was different. I butchered up a perl script to block on the fly as opposed to blocking out entire countries and was surprised to see I managed to accumulate 1600+ hosts. Not *that* big of a deal until I started going through some of the logs...
I'm a bit puzzled because I see hundreds of attacks in parallel (literally 100-200 connections from different netblocks at the same time) so I'm thinking... "VoIP Based Botnet?"
Anyhow, still parsing through the wonderful bucketload of logs this morning. Anyone else see massive activity begininng 10/31?
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA ?4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops