> As a lot of people recommended using tcpdump, here it is. The only
> thing that stands out, are hundreds and thousands of lines like this:
>
> 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP,
> length 9216
> 13:45:49.996482 IP 82.165.252.222.36887 > ns1.galandrex.ee.33803: UDP,
> length 9216
> 13:45:50.001174 IP 82.165.252.222.36887 > ns1.galandrex.ee.63574: UDP,
> length 9216
> 13:45:50.005955 IP 82.165.252.222.36887 > ns1.galandrex.ee.36618: UDP,
> length 9216
> 13:45:50.010749 IP 82.165.252.222.36887 > ns1.galandrex.ee.48231: UDP,
> length 9216
>
> That IP resolves to u15194704.onlinehome-server.com. Seems to be a
> german ISP. After five seconds the capture.out file was already
> 2.8MB. You can see the file here: https://89.219.136.126/capture.out
>
> Thank you again to all the nice people who contacted me. And again,
> it would be nice if you could send me a copy of your reply, because
> I'm not a member of the list (either reply or cc to joel@spirit.ee).
> Thanks!


Looks like a case of DDoS indeed. The node's DNS A-record better be
left pointing to the old IP#, and the IP address changed.

> Joel V.


[SorAlx] ridin' VS1400
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/lis...reebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"