North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Tracing where it started
- From: Stephen Milton
- Date: Sun Jan 26 16:13:33 2003
Here are the first ten minutes of packets that one of my firewalls
Jan 24 21:32:19: UDP Drop SRC=22.214.171.124 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=22340 PROTO=UDP SPT=1739 DPT=1434 LEN=384
Jan 24 21:32:54: UDP Drop SRC=126.96.36.199 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=1366 PROTO=UDP SPT=1086 DPT=1434 LEN=384
Jan 24 21:33:11: UDP Drop SRC=188.8.131.52 LEN=404 TOS=0x00 PREC=0x00 TTL=113 ID=28703 PROTO=UDP SPT=1896 DPT=1434 LEN=384
Jan 24 21:38:54: UDP Drop SRC=184.108.40.206 LEN=404 TOS=0x00 PREC=0x00 TTL=102 ID=9940 PROTO=UDP SPT=1654 DPT=1434 LEN=384
Jan 24 21:39:34: UDP Drop SRC=220.127.116.11 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=17122 PROTO=UDP SPT=4742 DPT=1434 LEN=384
Jan 24 21:41:40: UDP Drop SRC=18.104.22.168 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=21153 PROTO=UDP SPT=3121 DPT=1434 LEN=384
Jan 24 21:41:51: UDP Drop SRC=22.214.171.124 LEN=404 TOS=0x00 PREC=0x00 TTL=109 ID=46498 PROTO=UDP SPT=1046 DPT=1434 LEN=384
Jan 24 21:42:06: UDP Drop SRC=126.96.36.199 LEN=404 TOS=0x00 PREC=0x00 TTL=107 ID=2336 PROTO=UDP SPT=1574 DPT=1434 LEN=384
I checked, and none of these source addresses had sent any visible
probes into my network within the prior month.
The really weird thing is that while I was interactively watching
router logs I saw a bunch of packets where neither the SRC nor DST
were within my network. I looked up the MAC address of the packets,
and they seemed to be coming from a client colocated box (apparently
un-firewalled Linux). I wonder if there was a worm that spread
previous to the attack to seed/start the attack by sending spoofed
attack packets to a large list of known vulnerable servers.
It does make sense though that the origin packets would have all been
spoofed. Unfortunately I can't find any items like that in my log
On Sun, Jan 26, 2003 at 12:09:33AM -0500, Alex Rubenstein eloquently stated:
> > +-----------------+
> > | 216.069.032.086 | Kentucky Community and Technical College System
> > | 066.223.041.231 | Interland
> > | 216.066.011.120 | Hurricane Electric
> > | 216.098.178.081 | V-Span, Inc.
> > +-----------------+
> HE.net seems to be a reoccuring theme. (I speak to evil of them --
> actually, there are some good people over there).
> However, it appears that one of the 'root' boxes of this attack was at HE.
> This is the third or fourth time I've seen theit netblocks mentioned as
> the source of some of the first packets.
> -- Alex Rubenstein, AR97, K2AHR, firstname.lastname@example.org, latency, Al Reuben --
> -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Stephen Milton - Vice President (425) 881-8769 x102
ISOMEDIA.COM - Premium Internet Services (425) 869-9437 Fax