nanog mailing list archives
Re: Tracing where it started
From: Alex Rubenstein <alex () nac net>
Date: Sat, 25 Jan 2003 17:52:31 -0500 (Eastern Standard Time)
Our first (this is EST): Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14 34 (default) 61.103.121.140 = a host somewhere on GBLX On Sat, 25 Jan 2003, Pete Ashdown wrote:
* Clayton Fiske (clay () bloomcounty org) [030125 12:55] writeth:On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:It might be interesting if some people were to post when they received their first attack packet, and where it came from, if they happened to be logging. Here is the first packet we logged: Jan 25 00:29:37 EST 216.66.11.120Interestingly, looking through my logs for UDP 1434, I saw a sequential scan of my subnet like so: Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 INI'm not sure that going back that far is going to offer anything conclusive, as it could have been any number of scanners looking for vulnerabilities. Looking at my logs back to the 19th, I have isolated hits on the 19th and 23rd. However, they really started to come in force at 22:29:39 MDT, two seconds after Clayton's. My first attempt came from an IP owned by Level 3 Comm. Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130 denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100 denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet
-- Alex Rubenstein, AR97, K2AHR, alex () nac net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Current thread:
- Tracing where it started Phil Rosenthal (Jan 25)
- Re: Tracing where it started Clayton Fiske (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Message not available
- Re: Tracing where it started Daniel Senie (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Travis Pugh (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Re: Tracing where it started Mike Leber (Jan 25)
- Re: Tracing where it started Scott Granados (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 26)
- mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 26)
- Re: mSQL Attack/Peering/OBGP/Optical exchange Rubens Kuhl Jr. (Jan 26)
- Re: mSQL Attack/Peering/OBGP/Optical exchange Kurt Erik Lindqvist (Jan 30)
- Re: Tracing where it started Clayton Fiske (Jan 25)