North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Reflection Attack- 69.80.239.50

  • From: mack
  • Date: Tue Nov 20 12:07:02 2007
  • Accept-language: en-US
  • Acceptlanguage: en-US

I apologize if this is off topic.
Currently the IP 69.80.239.50 is the victim of a reflection attack.

Many operators may be seeing what appears to be a syn attack generated by this IP.
These are actually spoofed packet hitting an open port designed to generate a syn-ack packet at the victim server.

This attack was originally a standard syn attack which has lasted since the 13th.
On Saturday the 17th we moved the victim server to a new ip behind a firewall.

Yesterday, Monday the 19th at approximately 3PM the attack changed to a reflection attack of greatly increased magnitude.  We have rate limited syn-ack packets hitting the firewall to reduce backscatter of reset packets.

Anyone seeing a stream of packets that appears to be improperly sourced from 69.80.239.50 is asked to contact us if they believe they can help us track back the perpetrators.

Any assistance that can be rendered is appreciated.  This includes direction to another forum that may be able to offer assistance.

As there are approximately 102,000 reflectors being used please do not contact us unless you can help us trace this back or provide substantial assistance.  We are currently overwhelmed by abuse complaints this has generated.

The attack has now doubled in size and may be considerably more than 102k reflectors.

----
LR Mack McBride
Network Administrator
Alpha Red, Inc.