Re: Private routes advertised

["Alex P. Rudnev" <alex () Relcom EU net>]

We are seing long SMURF attack against the address 193.124.51.206. I ask 
everyone who read this list and can check traffic over his network to 
check if he see ICMP packets FROM 193.124.51.206 (SRC address) TO 
129.72/16, 129.74/16 etc...

I don't think it's impossible to localise the intruder if he hold this 
crazy program for so long (more than 6 hours). All it's nessesary to 
trace is the frauded packets with the SRC address 193.124.51.206/32 and 
DST addresses from the black list described here a few days ago.

What does we seen now is:


Apr 16 20:31:49 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
130.34.195.1 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:50 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
129.115.201.88 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:51 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
129.74.90.51 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:52 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
129.72.4.38 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:53 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
134.57.7.220 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:54 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
128.139.221.1 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:55 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 
148.81.230.253 -> 193.

etc etc... This is echo-reply packets, and this means there exists 
ECHO-REQUEST packets sended by intruder.



 On Thu, 16 Apr 1998, Sam Critchley wrote:

> Date: Thu, 16 Apr 1998 17:06:25 +0100 (BST)
> From: Sam Critchley <samc () uk uu net>
> To: administrator () lamere net
> Cc: nanog () merit edu
> Subject: Re: Private routes advertised
>
>
> Hello,
>
> I've forwarded this to the UUNET NOC. You can call them on 1-800-900-0241 
> as well.
>
> Thanks,
>
>
> Sam Critchley
>
>
> On Thu, 16 Apr 1998 administrator () lamere net wrote:
>
> > Hello,
> >   alter.net is advertising private routes 192.168.nnn.nnn.  who do I
> > contact to get that shutdown?
> >
> > Here is the traceroute on it.
> >
> > [C:\]tracerte 192.168.2.5
> >  0  lamere-r1.lamere.net (206.249.60.1)  8 ms  8 ms  0 ms
> >  1  lamere-r1.lamere.net (206.249.60.1)  0 ms  0 ms  0 ms
> >  2  206.249.57.241 (206.249.57.241)  8 ms  0 ms  0 ms
> >  3  loki.wordwrap.net (206.249.56.1)  0 ms  7 ms  0 ms
> >  4  bbr2-s401-wordwrap.ctel.net (208.221.76.165)  8 ms  203 ms  180 ms
> >  5  905.Hssi2-0.GW1.BOS1.ALTER.NET (157.130.4.25)  31 ms  156 ms  234
> > ms
> >  6  123.ATM2-0-0.XR2.BOS1.ALTER.NET (146.188.176.238)  8 ms  24 ms  15
> > ms
> >  7  190.ATM10-0-0.XR2.EWR1.ALTER.NET (146.188.176.153)  32 ms  85 ms 
> > 32 ms
> >  8  100.ATM10-0-0.TR2.EWR1.ALTER.NET (146.188.176.90)  39 ms  31 ms 
> > 23 ms
> >  9  105.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.189)  24 ms  23 ms  24
> > ms 10  198.ATM8-0-0.XR2.TCO1.ALTER.NET (146.188.161.185)  32 ms  23 ms 
> > 24 ms 11  192.ATM1-0-0.GW2.TCO1.ALTER.NET (146.188.160.53)  31 ms  32
> > ms  23 ms 12  quantum-gw.customer.alter.net (157.130.34.170)  31 ms 
> > 31 ms  39 ms 13  192.168.4.1 (192.168.4.1)  86 ms *  93 ms
> > 14  192.168.10.2 (192.168.10.2)  94 ms  94 ms  93 ms
> > 15  192.168.11.23 (192.168.11.23)  94 ms  86 ms  125 ms
> > 16  192.168.2.5 (192.168.2.5)  93 ms *
> >
> > Curtis
> >
> > -- 
> > -----------------------------------------------------------
> > Curtis Maurand
> > System Administrator
> > lamere.net Business Center
> > We'll get you Wired.
> > administrator () lamere net
> > -----------------------------------------------------------
>
>
> ****************************************
> Sam Critchley
> International Systems Engineer
> UUNET
> samc () UU net
> Tel: (+44) 1223 250444
> ****************************************

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)