nanog mailing list archives
Re: Tracing where it started
From: Clayton Fiske <clay () bloomcounty org>
Date: Sat, 25 Jan 2003 10:14:07 -0800
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
It might be interesting if some people were to post when they received their first attack packet, and where it came from, if they happened to be logging. Here is the first packet we logged: Jan 25 00:29:37 EST 216.66.11.120
Interestingly, looking through my logs for UDP 1434, I saw a sequential scan of my subnet like so: Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN All from 206.176.210.74, all source port 53 (probably trying to use people's DNS firewall rules to get around being filtered). After that, I saw nothing until the storm started last night from many different source IPs, which was at Jan 24 21:31:53 PST for me. -c
Current thread:
- Tracing where it started Phil Rosenthal (Jan 25)
- Re: Tracing where it started Clayton Fiske (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Message not available
- Re: Tracing where it started Daniel Senie (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Travis Pugh (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Re: Tracing where it started Mike Leber (Jan 25)
- Re: Tracing where it started Scott Granados (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 26)
- mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 26)
- Re: Tracing where it started Clayton Fiske (Jan 25)