Security Basics mailing list archives
RE: Dos Attack
From: "Craig Spiers" <craig () concept net nz>
Date: Sun, 14 Mar 2004 03:22:26 +1300
No worries, I've sorted it out.. Telstraclear one of our upstreams were having a problem with these guys as well.. I ended up solving the problem by not advertising the netblock :) -----Original Message----- From: Hamish Stanaway [mailto:koremeltdown () hotmail com] Sent: Sunday, 14 March 2004 1:42 a.m. To: craig () concept net nz; security-basics () securityfocus com Subject: RE: Dos Attack Hi there Craig, Fancy seeing you on this list - I do believe you owe me an email. The person(s) you are dealing with in this particular case are no script kiddies, as I know of them and they should not be taken lightly. Even if you patch this attack, they will find another way in - they are known to attack with set goals, are organised and experienced. I would suggest you talk to "Fu" and ask him what it is that has caused his interest in your ISP, perhaps him and his conpanions may even be able to give youa few pointers on how to better secure your network. What I can suggest if that is not one way you want to go, is to block access to srcp 1A0B from outside of your ISP, or even from outside of New Zealand - national traffic as we well know is a lot cheaper to buy and a lot easier to maintain than international traffic. If you still have problems, perhaps I could talk to these guys as they know me and we could possibly sort something out. Sorry that I could not provide a contact at bellsouth, however I have heard from other kiwis that have had hacker problems coming from the b*south network that they are difficult to contact. Kindest of regards, Hamish Stanaway, CEO -= KoRe WoRkS =- Internet Security / Absolute Web Hosting Owner/Operator Auckland New Zealand http://www.koreworks.com : http://www.webhosting.net.nz : http://www.buywebhosting.co.nz
From: "Craig Spiers" <craig () concept net nz> To: <security-basics () securityfocus com> Subject: Dos Attack Date: Fri, 12 Mar 2004 13:58:43 +1300 MIME-Version: 1.0 Received: from outgoing2.securityfocus.com ([205.206.231.26]) by mc4-f29.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 12 Mar 2004 22:55:46 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid AC25B908CA; Fri, 12 Mar 2004 10:46:23 -0700 (MST) Received: (qmail 22586 invoked from network); 11 Mar 2004 20:32:25 -0000 X-Message-Info: JGTYoYF78jH5TiB1secWRvhEikFkuF/U Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Message-ID: <20040312024622.4400.qmail () mail securityfocus com> X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <6199A25648C5CF4596C8577AC6D20313350D () osiris wetgoat net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 thread-index: AcQHtHM9vzGYGT8wQMWNHVT5dnEmbQAAFZcgAAX2AAA= X-Qmail-Scanner-Message-ID: <10790531296522068 () smtp concept net nz> Return-Path: security-basics-return-27493-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 13 Mar 2004 06:55:46.0545 (UTC) FILETIME=[35FCAE10:01C408C8] Hi All, We are a small ISP located in auckland new zealand.. One of our broadband clients are currently causing our network to to practically be down outside of new zealand due to the large amount of traffic. The offender is connected on the following IP Address.. adsl-068-209-154-249.sip.btr.bellsouth.net Bellsouth.net have failed to respond. Our router shows the following floodnet under his control attacking our network. I have null-routed the destination address that is being attacked, to avoid it spreading to the rest of our network.. Any ideas who I can contact above bellsouth to get a stop put to this ? We are loosing a lot of money, due to SLA's etc. Also attached is an IRC log relating to the dos attack.. http://www.mystic.net.nz/~deejay/logs.txt Times are in NZDT SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa3/0 202.143.18.249 Null 218.101.56.150 06 0747 1A0B 1 Fa3/0 4.250.66.98 Null 218.101.56.150 06 0489 1A0B 1 Fa2/0 209.213.143.253 Fa0/0 202.127.8.1 11 0035 0035 1 Fa3/0 24.235.177.240 Null 218.101.56.150 06 03FF 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9985 1A0B 1 Fa2/0 209.213.143.253 Fa0/0 202.127.8.2 11 0035 0035 2 Fa3/0 213.137.38.156 Null 218.101.56.150 06 06E7 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9984 1A0B 1 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa3/0 208.47.17.5 Null 218.101.56.150 06 9987 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9986 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9989 1A0B 1 Fa3/0 142.160.9.208 Null 218.101.56.150 06 0720 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9988 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 998B 1A0B 1 Fa3/0 13.181.224.189 Null 218.101.56.150 06 06FF 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 998D 1A0B 1 Fa3/0 154.26.185.218 Null 218.101.56.150 06 05A3 1A0B 1 Fa3/0 167.39.210.93 Null 218.101.56.150 06 0790 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 998F 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 998E 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9990 1A0B 1 Fa3/0 213.43.94.79 Null 218.101.56.150 06 07CD 1A0B 1 Fa3/0 145.220.105.129 Null 218.101.56.150 06 07AF 1A0B 1 Fa3/0 17.105.188.208 Null 218.101.56.150 06 0778 1A0B 1 Fa3/0 141.156.165.82 Null 218.101.56.150 06 07B2 1A0B 1 Fa3/0 159.106.220.123 Null 218.101.56.150 06 043A 1A0B 1 Fa3/0 141.156.165.82 Null 218.101.56.150 06 07B1 1A0B 1 Fa3/0 53.98.122.232 Null 218.101.56.150 06 07AC 1A0B 1 Fa3/0 141.156.165.82 Null 218.101.56.150 06 07B0 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9999 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 9998 1A0B 1 Fa3/0 14.174.205.107 Null 218.101.56.150 06 07B9 1A0B 1 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa3/0 208.47.17.5 Null 218.101.56.150 06 999B 1A0B 1 Fa3/0 46.11.139.18 Null 218.101.56.150 06 03F8 1A0B 1 Fa3/0 141.156.165.82 Null 218.101.56.150 06 07BC 1A0B 1 Fa3/0 46.63.68.148 Null 218.101.56.150 06 0754 1A0B 1 Fa3/0 145.148.49.182 Null 218.101.56.150 06 0413 1A0B 1 Fa3/0 54.53.107.111 Null 218.101.56.150 06 06F6 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 999A 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 999D 1A0B 1 Fa3/0 145.128.107.2 Null 218.101.56.150 06 03F2 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 999C 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 999F 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 999E 1A0B 1 Fa3/0 62.172.30.247 Null 218.101.56.150 06 04B8 1A0B 1 Fa3/0 56.121.111.235 Null 218.101.56.150 06 0515 1A0B 1 Fa3/0 29.115.95.245 Null 218.101.56.150 06 053E 1A0B 1 Fa3/0 151.211.166.39 Null 218.101.56.150 06 055D 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 99A5 1A0B 1 Fa3/0 64.68.92.163 Fa0/0 203.97.44.30 06 E70E 0050 1 Fa3/0 202.56.8.53 Null 218.101.56.150 06 042D 1A0B 1 Fa3/0 199.89.221.135 Null 218.101.56.150 06 0448 1A0B 1 Fa3/0 208.47.17.5 Null 218.101.56.150 06 99A7 1A0B 1 Fa3/0 141.156.165.82 Null 218.101.56.150 06 0781 1A0B 1 Fa3/0 138.62.121.251 Null 218.101.56.150 06 0794 1A0B 1 Fa3/0 205.245.174.135 Null 218.101.56.150 06 0737 1A0B 1 ----------------------------------------------------------------------- ---- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------- -----
_________________________________________________________________ Find things fast with the new MSN Toolbar - includes FREE pop-up blocking! http://clk.atdmt.com/AVE/go/onm00200414ave/direct/01/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Dos Attack Hamish Stanaway (Mar 15)
- RE: Dos Attack Craig Spiers (Mar 15)
- RE: Dos Attack Fernando Gont (Mar 17)
- <Possible follow-ups>
- RE: Dos Attack Craig Spiers (Mar 15)
- RE: Dos Attack Michael Bellears (Mar 15)
- RE: Dos Attack Craig Spiers (Mar 15)