Perebor & Varek
Perebor Perebor
Varek Varek
Varek Varek
So, Perebor, have you seen the new zero‑day signatures in the corporate firewall logs? I’m picking up a pattern that looks off.
Perebor Perebor
I can pull up the logs right now. What does the pattern look like—frequency, source IP, payload size? The anomaly might be a simple loop or a more sophisticated polymorphic tweak. Let’s break it down step by step.
Varek Varek
First thing: the source IPs are all in the same /24, but they rotate through three addresses every 30 seconds. Frequency is about 200 requests per minute, way above normal traffic for that port. Payload size starts at 512 bytes, then drops to 256, then back up to 512 in a predictable rhythm. The signature hashes are all unique, so it’s a polymorphic tweak, but the timing pattern is dead‑set. That loop is our entry point—keep a watch on that /24 block and lock the port when the 200‑rpm burst hits.
Perebor Perebor
Looks like a coordinated botnet—same /24, fixed cadence, bursty traffic. Lock the port and drop that block. I’ll set a rate‑limit rule and monitor for the 200‑rpm spike. If it continues, quarantine the subnet.
Varek Varek
Good plan. Keep the lock tight until you confirm the botnet’s offline. If the spike resumes, quarantine the /24 and block any new connections. Stay alert, the attackers will try to adapt.
Perebor Perebor
Sounds good, I'll enforce the lock now and keep an eye on the /24. If the pattern returns, I'll quarantine and block all new traffic. Stay tuned.