Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracing where it started

  • From: Travis Pugh
  • Date: Sat Jan 25 18:49:04 2003


According to Clayton Fiske:

> Interestingly, looking through my logs for UDP 1434, I saw a
sequential
> scan of my subnet like so:
>
> Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33
IN
> Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33
IN
> Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33
IN
>
> All from 206.176.210.74, all source port 53 (probably trying to
> use people's DNS firewall rules to get around being filtered).
>
> After that, I saw nothing until the storm started last night from
many
> different source IPs, which was at Jan 24 21:31:53 PST for me.

Ditto on the sequential scan well before the actual action, except
that mine came on Jan. 19th:

Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
...
...

The scan went across several subnets I manage inside 209.67.0.0
serially.  My sources were all from 67.8.33.179, all source port 1.
The actual worm propagation began to hit my logs at 00:28:16 EST Jan
25.

Cheers.

-travis





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.