North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracing where it started

  • From: Stephen Milton
  • Date: Sun Jan 26 16:13:33 2003

Here are the first ten minutes of packets that one of my firewalls
intercepted:

(PST Times)
Jan 24 21:32:19: UDP Drop SRC=211.205.179.133 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=22340 PROTO=UDP SPT=1739 DPT=1434 LEN=384
Jan 24 21:32:54: UDP Drop SRC=128.122.40.59 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=1366 PROTO=UDP SPT=1086 DPT=1434 LEN=384
Jan 24 21:33:11: UDP Drop SRC=141.142.65.14 LEN=404 TOS=0x00 PREC=0x00 TTL=113 ID=28703 PROTO=UDP SPT=1896 DPT=1434 LEN=384
Jan 24 21:38:54: UDP Drop SRC=211.57.70.131 LEN=404 TOS=0x00 PREC=0x00 TTL=102 ID=9940 PROTO=UDP SPT=1654 DPT=1434 LEN=384
Jan 24 21:39:34: UDP Drop SRC=202.96.108.140 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=17122 PROTO=UDP SPT=4742 DPT=1434 LEN=384
Jan 24 21:41:40: UDP Drop SRC=200.162.192.22 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=21153 PROTO=UDP SPT=3121 DPT=1434 LEN=384
Jan 24 21:41:51: UDP Drop SRC=64.70.191.74 LEN=404 TOS=0x00 PREC=0x00 TTL=109 ID=46498 PROTO=UDP SPT=1046 DPT=1434 LEN=384
Jan 24 21:42:06: UDP Drop SRC=129.242.210.240 LEN=404 TOS=0x00 PREC=0x00 TTL=107 ID=2336 PROTO=UDP SPT=1574 DPT=1434 LEN=384

I checked, and none of these source addresses had sent any visible
probes into my network within the prior month.

The really weird thing is that while I was interactively watching
router logs I saw a bunch of packets where neither the SRC nor DST
were within my network.  I looked up the MAC address of the packets,
and they seemed to be coming from a client colocated box (apparently
un-firewalled Linux).  I wonder if there was a worm that spread
previous to the attack to seed/start the attack by sending spoofed
attack packets to a large list of known vulnerable servers.

It does make sense though that the origin packets would have all been
spoofed.  Unfortunately I can't find any items like that in my log
files.

-Steve

On Sun, Jan 26, 2003 at 12:09:33AM -0500, Alex Rubenstein eloquently stated:
> 
> 
> 
> > +-----------------+
> > | 216.069.032.086 |  Kentucky Community and Technical College System
> > | 066.223.041.231 |  Interland
> > | 216.066.011.120 |  Hurricane Electric
> > | 216.098.178.081 |  V-Span, Inc.
> > +-----------------+
> 
> HE.net seems to be a reoccuring theme. (I speak to evil of them --
> actually, there are some good people over there).
> 
> However, it appears that one of the 'root' boxes of this attack was at HE.
> This is the third or fourth time I've seen theit netblocks mentioned as
> the source of some of the first packets.
> 
> 
> 
> -- Alex Rubenstein, AR97, K2AHR, [email protected], latency, Al Reuben --
> --    Net Access Corporation, 800-NET-ME-36, http://www.nac.net   --
> 

-- 
Stephen Milton - Vice President                (425) 881-8769 x102
ISOMEDIA.COM - Premium Internet Services        (425) 869-9437 Fax
[email protected]                        http://www.isomedia.com