Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DDoS tracking / accounting tools

  • From: Mike Tancsa
  • Date: Sun Jun 08 18:36:02 2003



It appears someone started a DDoS (~ 500 hosts involved) attack against a customer IP in our network this morning at 6am EDT (~ 250Mb/s coming in on 3 links). None of the IP addresses are spoofed as there is a fixed set of about 500 hundred and all are coming in via paths that make sense from a bgp perspective. Also doing a quick sample of the ones still blasting at me across my private peers that have not null routed the /32 its clear that they are still pushing out packets as quick as possible judging by response times from those hosts. I now want to contact the individual network abuse departments of said networks so that they can take appropriate action against the 'owned' hosts involved. Does anyone know of or have a tool that can quickly take a list of IP addresses and summarize / generate the appropriate network contact info ? What about a tool to quickly summarize by AS ?

Doing a quick random sample of the hosts involved 6 out of 10 were all windows type boxes and 4 had no ports open or were either firewalled or behind some home router. The boxes all seem to be blasting out packets 445 bytes long and the protocol appears to be randomized in the header


09:35:57.243330 0:a:f3:a5:c8:bc 0:d0:b7:27:55:43 ip 459: 211.135.33.199 > 64.7.138.8: ip-proto-253 425 (ttl 109, id 9477, len 445)
0x0000 4500 01bd 2505 0000 6dfd 66e1 d387 21c7 E...%...m.f...!.
0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @...............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000
and
..
18:23:59.553908 0:4:de:56:d:80 0:1:80:38:46:37 ip 459: h24-77-1-84.gv.shawcable.net > 64.7.138.8: icmp: echo reply
0x0000 4500 01bd 74e3 0000 7801 e8ac 184d 0154 E...t...x....M.T
0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @...............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................

18:28:32.069714 0:4:de:56:d:80 0:1:80:38:46:37 0800 459: 24.77.1.84 > 64.7.138.8: truncated-udplength 0 (ttl 120, id 15668, len 44
5)
0x0000 4500 01bd 3d34 0000 7811 204c 184d 0154 E...=4..x..L.M.T
0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @...............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................

Anyone recognize this DOS signature ? trinity v3 seems to have these capabilities but I have not seen it mentioned in some time... An oldie but a goodie, or something new ?


---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.