Re: Weird attack or traffic (Was Re: The impending DDoS storm)

North American Network Operators Group
Re: Weird attack or traffic (Was Re: The impending DDoS storm)

From: Haesu
Date: Fri Aug 15 02:01:18 2003
It kinda looks like the virus or whatever it is, is spoofing
source IP.

Now I am seeing lots of spoofed packets trying to egress out of
our network. 

We are filtering egress traffic so obviously its being dropped at
edge of course...


Just cleared access-list counter about a minute or so ago and this:

box02c75-br01#sh ip acces 180 | in deny
    deny ip any any log-input (17268883 matches)
box02c75-br01#

-hc

-- 
Sincerely,
  Haesu C.
  TowardEX Technologies, Inc.
  WWW: http://www.towardex.com
  E-mail: [email protected]
  Cell: (978) 394-2867

On Fri, Aug 15, 2003 at 01:04:38AM -0400, Haesu wrote:
> 
> Is anyone else seeing backscatters on your network about windowsupdate.com's IP?
> 
> Someone who transits through 65.123.21.137 router is sending out lots of packets
> to 204.79.188.11 (windowsupdate.com) in which its not currently advertised to
> internet as we speak. Not to mention, packets seem to be source-spoofed to
> 65.124.16.0/21 (our block), causing backscatter from 65.123.21.137 to our
> network...
> 
> Any ideas/or anyone seeing similar effect? Is someone who is administrative to
> Qwest Communications WASH01-WAN-65-123-21 (NET-65-123-21-0-1) aware of this may
> be? It looks like a Qwest customer CPE router to me but I dunno..
> 
> See below for traffic snapshot..
> 
> -hc
> 
> -- 
> Sincerely,
>   Haesu C.
>   TowardEX Technologies, Inc.
>   WWW: http://www.towardex.com
>   E-mail: [email protected]
>   Cell: (978) 394-2867
> 
> k00:50:22.807370 65.123.21.137 > 65.124.23.125: icmp: net 204.79.188.11 unreachable
> 00:50:22.891672 65.123.21.137 > 65.124.22.48: icmp: net 204.79.188.11 unreachable
> 00:50:22.979997 65.123.21.137 > 65.124.22.98: icmp: net 204.79.188.11 unreachable
> 00:50:23.047340 65.123.21.137 > 65.124.22.21: icmp: net 204.79.188.11 unreachable
> 00:50:23.133616 65.123.21.137 > 65.124.22.72: icmp: net 204.79.188.11 unreachable
> 00:50:23.520405 65.123.21.137 > 65.124.23.107: icmp: net 204.79.188.11 unreachable
> 00:50:23.745844 65.123.21.137 > 65.124.22.3: icmp: net 204.79.188.11 unreachable
> 00:50:23.829309 65.123.21.137 > 65.124.22.54: icmp: net 204.79.188.11 unreachable
> 00:50:24.493650 65.123.21.137 > 65.124.23.113: icmp: net 204.79.188.11 unreachable
> 00:50:24.530074 65.123.21.137 > 65.124.23.35: icmp: net 204.79.188.11 unreachable
> 00:50:24.618082 65.123.21.137 > 65.124.23.86: icmp: net 204.79.188.11 unreachable
> 00:47:50.611529 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable
> 00:47:50.649962 65.123.21.137 > 65.124.17.151: icmp: net 204.79.188.11 unreachable
> 00:47:50.711865 65.123.21.137 > 65.124.17.124: icmp: net 204.79.188.11 unreachable
> 00:47:50.756960 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable
> 00:47:50.826367 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable
> 00:47:52.355967 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable
> 00:47:52.587141 65.123.21.137 > 65.124.20.46: icmp: net 204.79.188.11 unreachable
> 00:47:53.865460 65.123.21.137 > 65.124.22.87: icmp: net 204.79.188.11 unreachable
> 
> 00:48:05.250757 65.123.21.137 > 65.124.16.1: icmp: net 204.79.188.11 unreachable
> 00:48:05.713640 65.123.21.137 > 65.124.17.86: icmp: net 204.79.188.11 unreachable
> 00:48:05.841169 65.123.21.137 > 65.124.17.60: icmp: net 204.79.188.11 unreachable
> 00:48:06.013042 65.123.21.137 > 65.124.16.33: icmp: net 204.79.188.11 unreachable
> 00:48:06.549540 65.123.21.137 > 65.124.17.41: icmp: net 204.79.188.11 unreachable
> 00:48:06.803847 65.123.21.137 > 65.124.17.92: icmp: net 204.79.188.11 unreachable
> 00:48:06.981930 65.123.21.137 > 65.124.17.15: icmp: net 204.79.188.11 unreachable
> 00:48:07.277776 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable
> 00:48:07.343120 65.123.21.137 > 65.124.18.74: icmp: net 204.79.188.11 unreachable
> 00:48:07.486285 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable
> 00:48:07.569901 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable
> 00:48:08.117407 65.123.21.137 > 65.124.18.106: icmp: net 204.79.188.11 unreachable
> 00:48:08.356732 65.123.21.137 > 65.124.20.41: icmp: net 204.79.188.11 unreachable
> 00:48:08.637485 65.123.21.137 > 65.124.20.14: icmp: net 204.79.188.11 unreachable
> 00:48:08.944750 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable
> 00:48:08.946623 65.123.21.137 > 65.124.22.49: icmp: net 204.79.188.11 unreachable
References:
- Weird attack or traffic (Was Re: The impending DDoS storm) Haesu
Prev by Date: microsoft.com
Next by Date: Re: BGP route tracking.
Date Index
Thread Index
Author Index
Historical