North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Tracing where it started
- From: Clayton Fiske
- Date: Sat Jan 25 14:50:38 2003
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
> It might be interesting if some people were to post when they received
> their first attack packet, and where it came from, if they happened to
> be logging.
> Here is the first packet we logged:
> Jan 25 00:29:37 EST 22.214.171.124
Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:
Jan 16 08:15:51 126.96.36.199,53 -> x.x.x.1,1434 PR udp len 20 33 IN
Jan 16 08:15:51 188.8.131.52,53 -> x.x.x.2,1434 PR udp len 20 33 IN
Jan 16 08:15:51 184.108.40.206,53 -> x.x.x.3,1434 PR udp len 20 33 IN
All from 220.127.116.11, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).
After that, I saw nothing until the storm started last night from many
different source IPs, which was at Jan 24 21:31:53 PST for me.