We are also seeing this traffic at AS4436. Appears to be coming from IP addresses all over the space. Here's a box that traps all of 165.227.0.0/16:
23:08:13.257197 165.194.123.131.1227 > 165.227.92.176.1434: udp 376 23:08:13.259778 129.187.150.78.2667 > 165.227.84.186.1434: udp 376 23:08:13.276695 61.40.143.242.3794 > 165.227.21.48.1434: udp 376 23:08:13.284191 128.218.133.213.1078 > 165.227.198.96.1434: udp 376 23:08:13.286648 169.229.141.44.1065 > 165.227.255.90.1434: udp 376 23:08:13.294512 218.232.109.22.3302 > 165.227.146.129.1434: udp 376 23:08:13.300412 137.79.10.100.2478 > 165.227.5.230.1434: udp 376 23:08:13.302869 128.143.100.86.1397 > 165.227.41.248.1434: udp 376 23:08:13.317327 203.226.64.220.3081 > 165.227.216.188.1434: udp 376 23:08:13.319908 209.41.170.8.4033 > 165.227.252.85.1434: udp 376 23:08:13.322365 64.71.177.201.2439 > 165.227.128.21.1434: udp 376 23:08:13.327937 216.120.60.154.3005 > 165.227.125.156.1434: udp 376 23:08:13.330435 64.239.145.3.3231 > 165.227.4.161.1434: udp 376 23:08:13.333016 204.228.229.106.4049 > 165.227.238.69.1434: udp 376 23:08:13.335350 212.209.231.186.52703 > 165.227.38.136.1434: udp 376 23:08:13.337930 207.46.200.162.2343 > 165.227.96.170.1434: udp 376 23:08:13.340388 61.178.83.30.4525 > 165.227.77.119.1434: udp 376 23:08:13.342887 62.250.16.28.1385 > 165.227.119.91.1434: udp 376 23:08:13.345468 66.155.116.10.1041 > 165.227.106.35.1434: udp 376 23:08:13.362506 207.226.255.124.2331 > 165.227.189.42.1434: udp 376 23:08:13.364964 63.241.139.196.1150 > 165.227.135.221.1434: udp 376 23:08:13.367422 66.109.239.200.1117 > 165.227.67.250.1434: udp 376 23:08:13.370042 194.100.187.36.2342 > 165.227.103.27.1434: udp 376 23:08:13.372501 158.38.141.86.3269 > 165.227.239.113.1434: udp 376 23:08:13.374959 212.71.66.23.2019 > 165.227.232.118.1434: udp 376 23:08:13.377417 158.38.141.65.1382 > 165.227.169.58.1434: udp 376 23:08:13.379915 130.127.8.157.2980 > 165.227.107.122.1434: udp 376 23:08:13.382496 207.46.200.146.2718 > 165.227.49.107.1434: udp 376 23:08:13.386100 80.237.200.171.1198 > 165.227.93.216.1434: udp 376 23:08:13.388557 64.71.180.135.1915 > 165.227.38.41.1434: udp 376 23:08:13.394660 211.117.60.188.2806 > 165.227.49.12.1434: udp 376 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Scott Granados > Sent: Friday, January 24, 2003 10:41 PM > To: Alex Rubenstein > Cc: hc; [EMAIL PROTECTED] > Subject: Re: Level3 routing issues? > > > > We just had a box inside one of my customers networks start > sending tons of small packets not sure what kind yet. > > > On Sat, 25 Jan 2003, Alex Rubenstein wrote: > > > > > > > I dunno about that. But, I am seeing, in the last couple hours, all > > kinds of new traffic. > > > > like, customers who never get attacked or anything, all of a sudden: > > > > > > > http://mrtg.nac.net/switch9.oct.nac.net/3865/s> witch9.oct.nac.net-3865. > > html > > > > > > We are seeing this on ports all across out network -- > nearly 1/2 our > > ports are in delta alarm right now. > > > > Anyone else? > > > > I will dig more to look at the traffic. > > > > > > > > > > On Sat, 25 Jan 2003, hc wrote: > > > > > > > > Anyone seeing routing problems with Level3 at this hour? I just > > > witnessed tons of prefixes behind level3's network withdraw. Any > > > information on what is happening (if you know) would be great. > > > Thanks! > > > > > > -hc > > > > > > > > > > > > > -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- > > -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- > > > > > > >