Security Incidents mailing list archives

Re: Been a victim of a DDoS

From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Tue, 14 Aug 2001 09:31:10 +0100

Hi,

It's most probably "smurf" attack, when the attacker sends spoofed
source icmp requests to some well-known amplifier networks, so each
request results in 10-100 replies directed to the victim. There is no
way to stop it though :) Try to contact admins of some networks which
send you those icmp replies and ask their help in tracing the source of
packets causing it. It will not help very much again, because he could
easily move to another computer. If you are really worried about it,
probably you have to start some investigation, but again, it's _very_
difficult to trace the attacker if he has at minimumal skills.

Another solution - block all ICMP somewhere at uplink for a while. Kid
will get bored and will stop flooding.

regards,
Vitaly.

Gustavo Monserrat wrote:


Hi all!

We have been victims of a huge DDoS against one IP address of ours, so huge
that it affected our upstream provider (One of Argentina's biggest). The
attack was directed to an IP address that belonged to a dial-up user and it
started on Sunday 2:00 GMT-3 and it continued until we stopped advertising
the network involved in the BGP.

Our upstream informed us that traffic was coming from all around the world
mostly from the Asia-Pacific region. It got to fill our uplink completely
(STM-1) and to create performance problems to other customers of our
upstream.

Unfortunately, we could not get accurate information regarding the content
of the packets that were arriving into our network. All I have is log from
an ACL, but you know how much information you can get. It seems we have been
smurfed in a way that has no reason to be. A user was connected with that IP
address, but when he disconnected, packets were still coming in huge
amounts. We will try to advertise that network again and see what will
happen. But... if problem persists I really do not know how to stop it, this
address could have been taken randomly, and if the attacker decides to
change to a different network, you realize that we can't keep changing what
we advertise to the Internet.

I don't know what to really ask, but I need a lot of help. Below is a little
extract of our logs.

Thanks in advance to everyone.

Aug 12 18:02:44 cli-border 11398: Aug 12 19:02:43.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:44 cli-border 11399: Aug 12 19:02:44.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.104.67.95 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:46 cli-border 11400: Aug 12 19:02:45.290 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
105.91(0), 1 packet
Aug 12 18:02:46 cli-border 11401: Aug 12 19:02:45.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.105.222.135 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:47 cli-border 11402: Aug 12 19:02:46.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.188.65.93 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:48 cli-border 11403: Aug 12 19:02:47.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 195.31.27.14 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:49 cli-border 11404: Aug 12 19:02:48.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 199.26.203.211 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:50 cli-border 11405: Aug 12 19:02:49.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.224.64.35 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:52 cli-border 11406: Aug 12 19:02:50.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.51.192.102 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:52 cli-border 11407: Aug 12 19:02:51.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:53 cli-border 11408: Aug 12 19:02:52.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.202.3.67 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:54 cli-border 11409: Aug 12 19:02:53.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.228 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:55 cli-border 11410: Aug 12 19:02:54.294 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 64.58.77.170(0) -> 200.45.105
.91(0), 1 packet
Aug 12 18:02:55 cli-border 11411: Aug 12 19:02:54.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:57 cli-border 11412: Aug 12 19:02:56.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 151.99.109.58 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:57 cli-border 11413: Aug 12 19:02:57.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.56.11.111 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:59 cli-border 11414: Aug 12 19:02:58.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.35.104 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:59 cli-border 11415: Aug 12 19:02:59.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.221 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:01 cli-border 11416: Aug 12 19:03:00.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 63.146.81.1 -> 200.45.105.9
1 (0/0), 1 packet
Aug 12 18:03:01 cli-border 11417: Aug 12 19:03:01.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 157.130.19.158 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:03 cli-border 11418: Aug 12 19:03:02.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.117 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:03 cli-border 11419: Aug 12 19:03:03.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.168.162.3 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:05 cli-border 11420: Aug 12 19:03:04.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.43.1.201 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:05 cli-border 11421: Aug 12 19:03:05.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.54.83.250 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:07 cli-border 11422: Aug 12 19:03:06.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.50.52.95 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:07 cli-border 11423: Aug 12 19:03:07.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:09 cli-border 11424: Aug 12 19:03:08.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.137.115.66 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:09 cli-border 11425: Aug 12 19:03:09.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.186.188.126 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:03:10 cli-border 11426: Aug 12 19:03:09.294 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
105.91(0), 1 packet
Aug 12 18:03:10 cli-border 11427: Aug 12 19:03:10.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.64.144.11 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:12 cli-border 11428: Aug 12 19:03:11.046 ARG: %SEC-6-IPACCESSLO
GDP: list atacan denied icmp 209.215.160.55 -> 200.45.10
5.91 (0/0), 1 packet

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Been a victim of a DDoS Gustavo Monserrat (Aug 13)
- Re: Been a victim of a DDoS Vitaly Osipov (Aug 14)
- <Possible follow-ups>
- Re: Been a victim of a DDoS Gustavo Monserrat (Aug 15)