nanog mailing list archives

Re: Tracing where it started

From: Alex Rubenstein <alex () nac net>
Date: Sat, 25 Jan 2003 17:52:31 -0500 (Eastern Standard Time)



Our first (this is EST):

Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in
eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14
34 (default)

61.103.121.140 = a host somewhere on GBLX





On Sat, 25 Jan 2003, Pete Ashdown wrote:


* Clayton Fiske (clay () bloomcounty org) [030125 12:55] writeth:


On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:

It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging.

Here is the first packet we logged:
Jan 25 00:29:37 EST 216.66.11.120


Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN


I'm not sure that going back that far is going to offer anything
conclusive, as it could have been any number of scanners looking for
vulnerabilities.  Looking at my logs back to the 19th, I have isolated hits
on the 19th and 23rd.  However, they really started to come in force at
22:29:39 MDT, two seconds after Clayton's.  My first attempt came from an
IP owned by Level 3 Comm.

Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130
denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet
Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet
Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet
Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet
Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet
Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet
Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet
Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet
Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet
Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet
Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet


-- Alex Rubenstein, AR97, K2AHR, alex () nac net, latency, Al Reuben --
--    Net Access Corporation, 800-NET-ME-36, http://www.nac.net   --

Current thread:

Tracing where it started Phil Rosenthal (Jan 25)
- Re: Tracing where it started Clayton Fiske (Jan 25)
  - Re: Tracing where it started Pete Ashdown (Jan 25)
    - Re: Tracing where it started Alex Rubenstein (Jan 25)
    - Message not available
    - Re: Tracing where it started Daniel Senie (Jan 25)
  - Re: Tracing where it started Travis Pugh (Jan 25)
    - Re: Tracing where it started Johannes Ullrich (Jan 25)
    - Re: Tracing where it started Alex Rubenstein (Jan 25)
    - Re: Tracing where it started Mike Leber (Jan 25)
    - Re: Tracing where it started Scott Granados (Jan 25)
    - Re: Tracing where it started Johannes Ullrich (Jan 26)
    - mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 26)
    - Re: mSQL Attack/Peering/OBGP/Optical exchange Rubens Kuhl Jr. (Jan 26)
    - Re: mSQL Attack/Peering/OBGP/Optical exchange Kurt Erik Lindqvist (Jan 30)

(Thread continues...)