If 445 is the Windows SMB port then a whole bunch of viruses use it. Something like 90% of viruses?
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 "When you have eliminated the impossible, that which remains, however improbable, must be the truth." --- Sir Arthur Conan Doyle On Thu, Jun 11, 2009 at 11:56 AM, Ryan Ghering <rgher...@gmail.com> wrote: > So last night at about 10 pm we started to receive the largest flood I have > ever seen. It looked like a DDOS attack, looking into my router > the tcp flow showed an input queue of over 100 million pps on my DS3 > upstream. By default we block all Microsoft internal ports in and out bound > on our upstream. i.e 137 138 445 etc. port 445 deny showed 3.1 million > hits. > I cleared the counters, contacted my upstream, they see it as well. They > input a Access-list to block port 445 and the attack starts dropping off. ( > took about 10 mins for the network buffers to clear and the load to drop on > my routers ). The question is was this caused by conficker? what other > attacks use 445 tcp ? > > As a side note, my upstream called this morning, asked if they could remove > the access-list, stating its policy to only leave ACL's in place for 12 to > 24 hours. > I asked them If this was conficker what can be done to permently block it. > They tell me this is my issue not theres. So I have to take a chance in 12 > hours when they remove the ACL that my network will be screwed again. An > log > export shows in just a 10 minute period over 18,000 address's denyed on 445 > tcp. > > Needless to say it was a long night. and a screwed up morning. Has anyone > else experianced a similar flood on 445 recently? > > > Ryan > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/