@RN_
@Stormycloud
@eyedeekay
@not_bob
@orignal
@postman
@zzz
%Liorar
%acetone
%mareki2p
+FreefallHeavens
+Onn4l7h
+Onn4|7h
+nyaa2pguy
+poriori
+profetikla
+qend-irc2p
+r00tobo
+uop23ip
+waffles_
Arch
Danny
Irc2PGuest47612
Irc2PGuest72215
Irc2PGuest76863
Irc2PGuest77921
MatrixBot1
Meow
Over1
ahiru_
anontor
cims
eyedeekay_
leopold
mahlay
makoto
n2_
nZDoYBkF
nilbog
o3d3
r00tobo[2]
rednode
snex
snex__
stormycloud[m]
not_bob
zzz: Only 50!?
not_bob
I can't say for sure, but I may have more than 50 SAM sessions running at a time. But, they are very short lived.
not_bob
Transient tunnels are way up in the last 7 days. What's up with that?
zzz
50 for canon. no idea about plus
zzz
re: part. tunnel count, don't see that in my data
not_bob
Curious.
zzz
do you have any insight into the group of encrypted leasesets we're seeing?
not_bob
I do not.
zzz
probably some botnet got creative
not_bob
I don't collect data on those, so they are pretty much invisible to me.
not_bob
Likely, yes.
not_bob
Anyway, I group each tunnel into one off three groups.
not_bob
1. Has been around more than 1 months.
not_bob
1. Has been around for more than 7 days.
not_bob
2. Anything else (short lived).
not_bob
About 5 days before the feb "attack" I noticed the transient tunnles grow like crazy in percentage.
not_bob
I noticed that post atttack.
not_bob
So much data, hard to tell what signals might be key.
nyaa2pguy
could the transient tunnels also just be a sign of an in-network ddos?
not_bob
nyaa2pguy: I have no idea what they are other than short lived tunnels.
not_bob
It's my floodfill view of the world.
nyaa2pguy
interesting. unrelated: is there a way to 'name' sam clients?
nyaa2pguy
can get a little vague in the java console when you have lots of them
nyaa2pguy
ah i think i found it: inbound.nickname
zzz
yup