North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
Here are the first ten minutes of packets that one of my firewalls intercepted: (PST Times) Jan 24 21:32:19: UDP Drop SRC=211.205.179.133 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=22340 PROTO=UDP SPT=1739 DPT=1434 LEN=384 Jan 24 21:32:54: UDP Drop SRC=128.122.40.59 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=1366 PROTO=UDP SPT=1086 DPT=1434 LEN=384 Jan 24 21:33:11: UDP Drop SRC=141.142.65.14 LEN=404 TOS=0x00 PREC=0x00 TTL=113 ID=28703 PROTO=UDP SPT=1896 DPT=1434 LEN=384 Jan 24 21:38:54: UDP Drop SRC=211.57.70.131 LEN=404 TOS=0x00 PREC=0x00 TTL=102 ID=9940 PROTO=UDP SPT=1654 DPT=1434 LEN=384 Jan 24 21:39:34: UDP Drop SRC=202.96.108.140 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=17122 PROTO=UDP SPT=4742 DPT=1434 LEN=384 Jan 24 21:41:40: UDP Drop SRC=200.162.192.22 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=21153 PROTO=UDP SPT=3121 DPT=1434 LEN=384 Jan 24 21:41:51: UDP Drop SRC=64.70.191.74 LEN=404 TOS=0x00 PREC=0x00 TTL=109 ID=46498 PROTO=UDP SPT=1046 DPT=1434 LEN=384 Jan 24 21:42:06: UDP Drop SRC=129.242.210.240 LEN=404 TOS=0x00 PREC=0x00 TTL=107 ID=2336 PROTO=UDP SPT=1574 DPT=1434 LEN=384 I checked, and none of these source addresses had sent any visible probes into my network within the prior month. The really weird thing is that while I was interactively watching router logs I saw a bunch of packets where neither the SRC nor DST were within my network. I looked up the MAC address of the packets, and they seemed to be coming from a client colocated box (apparently un-firewalled Linux). I wonder if there was a worm that spread previous to the attack to seed/start the attack by sending spoofed attack packets to a large list of known vulnerable servers. It does make sense though that the origin packets would have all been spoofed. Unfortunately I can't find any items like that in my log files. -Steve On Sun, Jan 26, 2003 at 12:09:33AM -0500, Alex Rubenstein eloquently stated: > > > > > +-----------------+ > > | 216.069.032.086 | Kentucky Community and Technical College System > > | 066.223.041.231 | Interland > > | 216.066.011.120 | Hurricane Electric > > | 216.098.178.081 | V-Span, Inc. > > +-----------------+ > > HE.net seems to be a reoccuring theme. (I speak to evil of them -- > actually, there are some good people over there). > > However, it appears that one of the 'root' boxes of this attack was at HE. > This is the third or fourth time I've seen theit netblocks mentioned as > the source of some of the first packets. > > > > -- Alex Rubenstein, AR97, K2AHR, [email protected], latency, Al Reuben -- > -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- > -- Stephen Milton - Vice President (425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services (425) 869-9437 Fax [email protected] http://www.isomedia.com
|