Why do a traceroute? All you need to do is a whois to determine the
registration of the address space.
Not really enough information to say if it is a new worm or DOS.
Also, your range was one IP, if they are all with in the same subnet
space see below:
11/23/01 08:43:49 dns 216.106.166.141
nslookup 216.106.166.141
Canonical name: h216-106-166-141.ibeam.com
Addresses:
216.106.166.141
11/23/01 08:43:47 IP block 216.106.166.141
Trying 216.106.166.141 at ARIN
Trying 216.106.166 at ARIN
iBEAM Broadcasting Corporation (NETBLK-IBEAM)
645 Almanor Ave, Suite 100
Sunnyvale, CA 94086
US
Netname: IBEAM
Netblock: 216.106.160.0 - 216.106.175.255
Maintainer: BEAM
Coordinator:
Newton, Mike (MN179-ARIN) [EMAIL PROTECTED]
408/523-1646
Domain System inverse mapping provided by:
NS1.IBEAM.COM 216.35.151.103
NS2.IBEAM.COM 204.247.99.125
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 02-May-2001.
Database last updated on 22-Nov-2001 19:54:03 EDT.
On Wed, 21 Nov 2001 15:39:05 -0500
"Seth Keller" <[EMAIL PROTECTED]> wrote:
> I don't think my first post made it through, so here goes again. Our web server has
>been completely bombarded for about four hours now by a specific range of IP
>addresses. Our T1 line has been at 100% capacity during this ordeal. We are
>receiving around 250 packets per second from a range of IPs that I cannot completely
>trace.
>
> The range is 216.106.166.141 through 216.106.166.141. All packets appear to be
>legit http requests for port 80. The requests cycle through from one IP after the
>next and then the cycle starts over. I have tried using http://www.network-tools.com
>to trace the numbers to no avail. I can only get within the last five nodes before
>the trace times out.
>
> Does anyone have any ideas what this may be? I'm thinking maybe a new worm or a DOS
>but I'm not sure yet. Thanks in advance.
>
> Seth Keller
> Culver Community Schools
> A+/N+/CIW
> Intel Certified Integration Specialist 2000/2001
Mark Robinson
<[EMAIL PROTECTED]>
