nanog mailing list archives
Re: Denial of service attacks apparently from UUNET Netblocks
From: dougd () airmail net (Doug Davis)
Date: Mon, 6 Oct 1997 16:23:36 -0500 (CDT)
Karl, we just went thru basically the same thing with UUNET. I have >500MB of log files to show for it too :-(. The attack started around 7pm CDT, Sep 24th. Good thing we are not totally dependent on uunet. With the help of a kid in their NOC whom I badgered into working with me, I believe we had located a router which would accept source routed packets. I say believe, because when we found something "not right" he had to hang up on me and call someone else. A few minutes later the attack stopped. When I called back an hour or so later there was no mention of whom I had talked to in their "call log" and I didn't get the name as it was about the 5th person I was transfered to. When the uunet security people returned my call (I left voice mail, "Our office ours are from 8am to 5pm eastern time") fully 3 days later. they did mention that they would be 24x7 "real soon now." But otherwise couldn't be of much help since the attack was no longer in progress. I guess we just go out of business while waiting. Anyway, I made them the offer to email them a few hundred megs of logs which they declined. Oddly enough, the FBI called back within a few minutes and did want the logs (we burned 'em a cd) I've attached a small snippet of a tcpdump of the attack. It appears to differ from yours as the source address changes. It was directed at one of our 28.8 dialup ports. The incoming packet rate averaged about 2mb. 19:56:56.851502 snap 0:0:0:8:0 19.191.138.170.1900 > 206.66.14.112.57030: S 674719801:674719801(0) win 65535 (ttl 21, id 13324) 19:56:56.851502 snap 0:0:0:8:0 3.167.56.59.1900 > 206.66.14.112.57031: S 674719801:674719801(0) win 65535 (ttl 21, id 13325) 19:56:56.851502 snap 0:0:0:8:0 14.252.139.99.1900 > 206.66.14.112.57032: S 674719801:674719801(0) win 65535 (ttl 21, id 13326) 19:56:56.853455 snap 0:0:0:8:0 249.101.146.59.1900 > 206.66.14.112.57033: S 674719801:674719801(0) win 65535 (ttl 21, id 13327) 19:56:56.853455 snap 0:0:0:8:0 240.101.24.102.1900 > 206.66.14.112.57034: S 674719801:674719801(0) win 65535 (ttl 21, id 13328) 19:56:56.853455 snap 0:0:0:8:0 154.252.81.12.1900 > 206.66.14.112.57035: S 674719801:674719801(0) win 65535 (ttl 21, id 13329) 19:56:56.854432 snap 0:0:0:8:0 103.31.255.241.1900 > 206.66.14.112.57036: S 674719801:674719801(0) win 65535 (ttl 21, id 13330) 19:56:56.854432 snap 0:0:0:8:0 222.245.112.22.1900 > 206.66.14.112.57037: S 674719801:674719801(0) win 65535 (ttl 21, id 13331) 19:56:56.854432 snap 0:0:0:8:0 154.36.44.37.1900 > 206.66.14.112.57038: S 674719801:674719801(0) win 65535 (ttl 21, id 13332) 19:56:56.854432 snap 0:0:0:8:0 37.31.237.183.1900 > 206.66.14.112.57039: S 674719801:674719801(0) win 65535 (ttl 21, id 13333) 19:56:56.854432 snap 0:0:0:8:0 76.167.191.100.1900 > 206.66.14.112.57040: S 674719801:674719801(0) win 65535 (ttl 21, id 13334) 19:56:56.854432 snap 0:0:0:8:0 131.254.10.213.1900 > 206.66.14.112.57041: S 674719801:674719801(0) win 65535 (ttl 21, id 13335) 19:56:56.855409 snap 0:0:0:8:0 74.60.41.73.1900 > 206.66.14.112.57042: S 674719801:674719801(0) win 65535 (ttl 21, id 13336) 19:56:56.855409 snap 0:0:0:8:0 243.40.34.99.1900 > 206.66.14.112.57043: S 674719801:674719801(0) win 65535 (ttl 21, id 13337) 19:56:56.855409 snap 0:0:0:8:0 82.253.99.126.1900 > 206.66.14.112.57044: S 674719801:674719801(0) win 65535 (ttl 21, id 13338) 19:56:56.855409 snap 0:0:0:8:0 234.163.66.215.1900 > 206.66.14.112.57045: S 674719801:674719801(0) win 65535 (ttl 21, id 13339) 19:56:56.855409 snap 0:0:0:8:0 156.36.2.91.1900 > 206.66.14.112.57046: S 674719801:674719801(0) win 65535 (ttl 21, id 13340) 19:56:56.857362 snap 0:0:0:8:0 15.222.135.25.1900 > 206.66.14.112.57047: S 674719801:674719801(0) win 65535 (ttl 21, id 13341) 19:56:56.857362 snap 0:0:0:8:0 145.99.239.187.1900 > 206.66.14.112.57048: S 674719801:674719801(0) win 65535 (ttl 21, id 13342) 19:56:56.857362 snap 0:0:0:8:0 29.174.213.63.1900 > 206.66.14.112.57049: S 674719801:674719801(0) win 65535 (ttl 21, id 13343) 19:56:56.857362 snap 0:0:0:8:0 19.146.15.118.1900 > 206.66.14.112.57050: S 674719801:674719801(0) win 65535 (ttl 21, id 13344)
Current thread:
- Re: Denial of service attacks apparently from UUNET Netblocks, (continued)
- Re: Denial of service attacks apparently from UUNET Netblocks Dalvenjah FoxFire (Oct 07)
- Message not available
- Re: Denial of service attacks apparently from UUNET Netblocks Jay R. Ashworth (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks John A. Tamplin (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Greg A. Woods (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks David Lesher (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks David Lesher (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Brett Frankenberger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Dan Foster (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Sharif Torpis (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Dale Drew (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Alex "Mr. Worf" Yuriev (Oct 07)