North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
Just to add to this. We noticed a sudden burst and terminated ports to customers infected as well. I never noticed anything odd from HE and we also applied 1434 blocks very quickly. Thankfully, our most infected customer crashed his internal core and took him off line anyway:). ----- Original Message ----- From: "Mike Leber" <[email protected]> To: "Alex Rubenstein" <[email protected]> Cc: "Johannes Ullrich" <[email protected]>; "Travis Pugh" <[email protected]>; <[email protected]> Sent: Saturday, January 25, 2003 10:17 PM Subject: Re: Tracing where it started > > > On Sun, 26 Jan 2003, Alex Rubenstein wrote: > > > +-----------------+ > > > | 216.069.032.086 | Kentucky Community and Technical College System > > > | 066.223.041.231 | Interland > > > | 216.066.011.120 | Hurricane Electric > > > | 216.098.178.081 | V-Span, Inc. > > > +-----------------+ > > > > HE.net seems to be a reoccuring theme. (I speak to evil of them -- > > actually, there are some good people over there). > > > > However, it appears that one of the 'root' boxes of this attack was at HE. > > This is the third or fourth time I've seen theit netblocks mentioned as > > the source of some of the first packets. > > Looking at the router traffic graphs for the east and west coast the > attack started at the same time just before 9:30 PST or 12:30 EST. I'm > sure the owners of some of the infected boxes would be able to give a > better chronology based on when their logs for other services (i.e. HTTP) > they might have been running stopped. > > After looking at flow stats and figuring out that this wasn't an attack by > a single compromised box we blocked udp port 1434 on several of our core > routers. We then went back and contacted customers whose IPs showed up in > our flow stats. Some where reachable and coordinated with our support to > disconnect their MSSQL servers or otherwise shutdown MSSQL. We then went > through all our customer aggregation switches looking for ports that had > the pattern of the attack, i.e. 25000 pps inbound to our switch, 10 > packets outbound on a 100 Mbps port. We shutdown about 7 customer ports > in New York and about 16 in California. These customers were contacted > and the majority of them have patched their machines, a few are still off. > > Some Hurricane sites like our San Jose site were unaffected (no change > from normal traffic levels) indicating any Windows users there had > previously patched. > > Mike. > > +----------------- H U R R I C A N E - E L E C T R I C -----------------+ > | Mike Leber Direct Internet Connections Voice 510 580 4100 | > | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | > | [email protected] http://www.he.net | > +-----------------------------------------------------------------------+ > >
|