North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracing where it started

  • From: Clayton Fiske
  • Date: Sat Jan 25 14:50:38 2003

On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
> It might be interesting if some people were to post when they received
> their first attack packet, and where it came from, if they happened to
> be logging. 
> 
> Here is the first packet we logged:
> Jan 25 00:29:37 EST 216.66.11.120

Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN

All from 206.176.210.74, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).

After that, I saw nothing until the storm started last night from many
different source IPs, which was at Jan 24 21:31:53 PST for me.

-c