North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Weird attack or traffic (Was Re: The impending DDoS storm)
It kinda looks like the virus or whatever it is, is spoofing source IP. Now I am seeing lots of spoofed packets trying to egress out of our network. We are filtering egress traffic so obviously its being dropped at edge of course... Just cleared access-list counter about a minute or so ago and this: box02c75-br01#sh ip acces 180 | in deny deny ip any any log-input (17268883 matches) box02c75-br01# -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [email protected] Cell: (978) 394-2867 On Fri, Aug 15, 2003 at 01:04:38AM -0400, Haesu wrote: > > Is anyone else seeing backscatters on your network about windowsupdate.com's IP? > > Someone who transits through 65.123.21.137 router is sending out lots of packets > to 204.79.188.11 (windowsupdate.com) in which its not currently advertised to > internet as we speak. Not to mention, packets seem to be source-spoofed to > 65.124.16.0/21 (our block), causing backscatter from 65.123.21.137 to our > network... > > Any ideas/or anyone seeing similar effect? Is someone who is administrative to > Qwest Communications WASH01-WAN-65-123-21 (NET-65-123-21-0-1) aware of this may > be? It looks like a Qwest customer CPE router to me but I dunno.. > > See below for traffic snapshot.. > > -hc > > -- > Sincerely, > Haesu C. > TowardEX Technologies, Inc. > WWW: http://www.towardex.com > E-mail: [email protected] > Cell: (978) 394-2867 > > k00:50:22.807370 65.123.21.137 > 65.124.23.125: icmp: net 204.79.188.11 unreachable > 00:50:22.891672 65.123.21.137 > 65.124.22.48: icmp: net 204.79.188.11 unreachable > 00:50:22.979997 65.123.21.137 > 65.124.22.98: icmp: net 204.79.188.11 unreachable > 00:50:23.047340 65.123.21.137 > 65.124.22.21: icmp: net 204.79.188.11 unreachable > 00:50:23.133616 65.123.21.137 > 65.124.22.72: icmp: net 204.79.188.11 unreachable > 00:50:23.520405 65.123.21.137 > 65.124.23.107: icmp: net 204.79.188.11 unreachable > 00:50:23.745844 65.123.21.137 > 65.124.22.3: icmp: net 204.79.188.11 unreachable > 00:50:23.829309 65.123.21.137 > 65.124.22.54: icmp: net 204.79.188.11 unreachable > 00:50:24.493650 65.123.21.137 > 65.124.23.113: icmp: net 204.79.188.11 unreachable > 00:50:24.530074 65.123.21.137 > 65.124.23.35: icmp: net 204.79.188.11 unreachable > 00:50:24.618082 65.123.21.137 > 65.124.23.86: icmp: net 204.79.188.11 unreachable > 00:47:50.611529 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable > 00:47:50.649962 65.123.21.137 > 65.124.17.151: icmp: net 204.79.188.11 unreachable > 00:47:50.711865 65.123.21.137 > 65.124.17.124: icmp: net 204.79.188.11 unreachable > 00:47:50.756960 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable > 00:47:50.826367 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable > 00:47:52.355967 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable > 00:47:52.587141 65.123.21.137 > 65.124.20.46: icmp: net 204.79.188.11 unreachable > 00:47:53.865460 65.123.21.137 > 65.124.22.87: icmp: net 204.79.188.11 unreachable > > 00:48:05.250757 65.123.21.137 > 65.124.16.1: icmp: net 204.79.188.11 unreachable > 00:48:05.713640 65.123.21.137 > 65.124.17.86: icmp: net 204.79.188.11 unreachable > 00:48:05.841169 65.123.21.137 > 65.124.17.60: icmp: net 204.79.188.11 unreachable > 00:48:06.013042 65.123.21.137 > 65.124.16.33: icmp: net 204.79.188.11 unreachable > 00:48:06.549540 65.123.21.137 > 65.124.17.41: icmp: net 204.79.188.11 unreachable > 00:48:06.803847 65.123.21.137 > 65.124.17.92: icmp: net 204.79.188.11 unreachable > 00:48:06.981930 65.123.21.137 > 65.124.17.15: icmp: net 204.79.188.11 unreachable > 00:48:07.277776 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable > 00:48:07.343120 65.123.21.137 > 65.124.18.74: icmp: net 204.79.188.11 unreachable > 00:48:07.486285 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable > 00:48:07.569901 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable > 00:48:08.117407 65.123.21.137 > 65.124.18.106: icmp: net 204.79.188.11 unreachable > 00:48:08.356732 65.123.21.137 > 65.124.20.41: icmp: net 204.79.188.11 unreachable > 00:48:08.637485 65.123.21.137 > 65.124.20.14: icmp: net 204.79.188.11 unreachable > 00:48:08.944750 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable > 00:48:08.946623 65.123.21.137 > 65.124.22.49: icmp: net 204.79.188.11 unreachable
|