nanog mailing list archives
Re: Weird attack or traffic (Was Re: The impending DDoS storm)
From: Mike Tancsa <mike () sentex net>
Date: Fri, 15 Aug 2003 01:25:09 -0400
Yes, we are starting to see this as well. We are filtering at the edge, so the bogus packets are not getting out.
We have a /19 of 64.7.128.0/19 and 64.7.229.241 is totally bogus for our network.
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.229.241:1069 204.79.188.11:80 out via fxp1 Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.39.113:1904 204.79.188.11:80 out via fxp1 Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.105.240:1739 204.79.188.11:80 out via fxp1 Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.235.113:1178 204.79.188.11:80 out via fxp1 Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.46.113:1014 204.79.188.11:80 out via fxp1 Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.111.240:1849 204.79.188.11:80 out via fxp1 Aug 14 21:59:17 telus-151front /kernel: ipfw: 30000 Deny TCP 64.7.176.240:1685 204.79.188.11:80 out via fxp1
---Mike
At 01:04 AM 15/08/2003 -0400, Haesu wrote:
Is anyone else seeing backscatters on your network about windowsupdate.com's IP?Someone who transits through 65.123.21.137 router is sending out lots of packetsto 204.79.188.11 (windowsupdate.com) in which its not currently advertised to internet as we speak. Not to mention, packets seem to be source-spoofed to 65.124.16.0/21 (our block), causing backscatter from 65.123.21.137 to our network... Any ideas/or anyone seeing similar effect? Is someone who is administrative toQwest Communications WASH01-WAN-65-123-21 (NET-65-123-21-0-1) aware of this maybe? It looks like a Qwest customer CPE router to me but I dunno.. See below for traffic snapshot.. -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: haesu () towardex com Cell: (978) 394-2867k00:50:22.807370 65.123.21.137 > 65.124.23.125: icmp: net 204.79.188.11 unreachable 00:50:22.891672 65.123.21.137 > 65.124.22.48: icmp: net 204.79.188.11 unreachable 00:50:22.979997 65.123.21.137 > 65.124.22.98: icmp: net 204.79.188.11 unreachable 00:50:23.047340 65.123.21.137 > 65.124.22.21: icmp: net 204.79.188.11 unreachable 00:50:23.133616 65.123.21.137 > 65.124.22.72: icmp: net 204.79.188.11 unreachable 00:50:23.520405 65.123.21.137 > 65.124.23.107: icmp: net 204.79.188.11 unreachable 00:50:23.745844 65.123.21.137 > 65.124.22.3: icmp: net 204.79.188.11 unreachable 00:50:23.829309 65.123.21.137 > 65.124.22.54: icmp: net 204.79.188.11 unreachable 00:50:24.493650 65.123.21.137 > 65.124.23.113: icmp: net 204.79.188.11 unreachable 00:50:24.530074 65.123.21.137 > 65.124.23.35: icmp: net 204.79.188.11 unreachable 00:50:24.618082 65.123.21.137 > 65.124.23.86: icmp: net 204.79.188.11 unreachable 00:47:50.611529 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable 00:47:50.649962 65.123.21.137 > 65.124.17.151: icmp: net 204.79.188.11 unreachable 00:47:50.711865 65.123.21.137 > 65.124.17.124: icmp: net 204.79.188.11 unreachable 00:47:50.756960 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable 00:47:50.826367 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable 00:47:52.355967 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable 00:47:52.587141 65.123.21.137 > 65.124.20.46: icmp: net 204.79.188.11 unreachable 00:47:53.865460 65.123.21.137 > 65.124.22.87: icmp: net 204.79.188.11 unreachable00:48:05.250757 65.123.21.137 > 65.124.16.1: icmp: net 204.79.188.11 unreachable 00:48:05.713640 65.123.21.137 > 65.124.17.86: icmp: net 204.79.188.11 unreachable 00:48:05.841169 65.123.21.137 > 65.124.17.60: icmp: net 204.79.188.11 unreachable 00:48:06.013042 65.123.21.137 > 65.124.16.33: icmp: net 204.79.188.11 unreachable 00:48:06.549540 65.123.21.137 > 65.124.17.41: icmp: net 204.79.188.11 unreachable 00:48:06.803847 65.123.21.137 > 65.124.17.92: icmp: net 204.79.188.11 unreachable 00:48:06.981930 65.123.21.137 > 65.124.17.15: icmp: net 204.79.188.11 unreachable 00:48:07.277776 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 unreachable 00:48:07.343120 65.123.21.137 > 65.124.18.74: icmp: net 204.79.188.11 unreachable 00:48:07.486285 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 unreachable 00:48:07.569901 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 unreachable 00:48:08.117407 65.123.21.137 > 65.124.18.106: icmp: net 204.79.188.11 unreachable 00:48:08.356732 65.123.21.137 > 65.124.20.41: icmp: net 204.79.188.11 unreachable 00:48:08.637485 65.123.21.137 > 65.124.20.14: icmp: net 204.79.188.11 unreachable 00:48:08.944750 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 unreachable 00:48:08.946623 65.123.21.137 > 65.124.22.49: icmp: net 204.79.188.11 unreachable
Current thread:
- Weird attack or traffic (Was Re: The impending DDoS storm) Haesu (Aug 14)
- Re: Weird attack or traffic (Was Re: The impending DDoS storm) Mike Tancsa (Aug 14)
- Re: Weird attack or traffic (Was Re: The impending DDoS storm) Haesu (Aug 14)