Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Been a victim of a DDoS

From: "Gustavo Monserrat" <seg () arnet net ar>
Date: Mon, 13 Aug 2001 11:31:06 -0300
Hi all!

We have been victims of a huge DDoS against one IP address of ours, so huge
that it affected our upstream provider (One of Argentina's biggest). The
attack was directed to an IP address that belonged to a dial-up user and it
started on Sunday 2:00 GMT-3 and it continued until we stopped advertising
the network involved in the BGP.

Our upstream informed us that traffic was coming from all around the world
mostly from the Asia-Pacific region. It got to fill our uplink completely
(STM-1) and to create performance problems to other customers of our
upstream.

Unfortunately, we could not get accurate information regarding the content
of the packets that were arriving into our network. All I have is log from
an ACL, but you know how much information you can get. It seems we have been
smurfed in a way that has no reason to be. A user was connected with that IP
address, but when he disconnected, packets were still coming in huge
amounts. We will try to advertise that network again and see what will
happen. But... if problem persists I really do not know how to stop it, this
address could have been taken randomly, and if the attacker decides to
change to a different network, you realize that we can't keep changing what
we advertise to the Internet.

I don't know what to really ask, but I need a lot of help. Below is a little
extract of our logs.

Thanks in advance to everyone.

Aug 12 18:02:44 cli-border 11398: Aug 12 19:02:43.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:44 cli-border 11399: Aug 12 19:02:44.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.104.67.95 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:46 cli-border 11400: Aug 12 19:02:45.290 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
105.91(0), 1 packet
Aug 12 18:02:46 cli-border 11401: Aug 12 19:02:45.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.105.222.135 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:47 cli-border 11402: Aug 12 19:02:46.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.188.65.93 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:48 cli-border 11403: Aug 12 19:02:47.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 195.31.27.14 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:49 cli-border 11404: Aug 12 19:02:48.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 199.26.203.211 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:50 cli-border 11405: Aug 12 19:02:49.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.224.64.35 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:52 cli-border 11406: Aug 12 19:02:50.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.51.192.102 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:52 cli-border 11407: Aug 12 19:02:51.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:53 cli-border 11408: Aug 12 19:02:52.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.202.3.67 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:02:54 cli-border 11409: Aug 12 19:02:53.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.228 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:02:55 cli-border 11410: Aug 12 19:02:54.294 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 64.58.77.170(0) -> 200.45.105
.91(0), 1 packet
Aug 12 18:02:55 cli-border 11411: Aug 12 19:02:54.802 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:02:57 cli-border 11412: Aug 12 19:02:56.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 151.99.109.58 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:57 cli-border 11413: Aug 12 19:02:57.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.56.11.111 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:59 cli-border 11414: Aug 12 19:02:58.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.35.104 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:02:59 cli-border 11415: Aug 12 19:02:59.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.221 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:01 cli-border 11416: Aug 12 19:03:00.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 63.146.81.1 -> 200.45.105.9
1 (0/0), 1 packet
Aug 12 18:03:01 cli-border 11417: Aug 12 19:03:01.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 157.130.19.158 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:03 cli-border 11418: Aug 12 19:03:02.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.117 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:03 cli-border 11419: Aug 12 19:03:03.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.168.162.3 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:05 cli-border 11420: Aug 12 19:03:04.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.43.1.201 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:05 cli-border 11421: Aug 12 19:03:05.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.54.83.250 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:07 cli-border 11422: Aug 12 19:03:06.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.50.52.95 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:07 cli-border 11423: Aug 12 19:03:07.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
91 (0/0), 1 packet
Aug 12 18:03:09 cli-border 11424: Aug 12 19:03:08.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.137.115.66 -> 200.45.10
5.91 (0/0), 1 packet
Aug 12 18:03:09 cli-border 11425: Aug 12 19:03:09.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.186.188.126 -> 200.45.1
05.91 (0/0), 1 packet
Aug 12 18:03:10 cli-border 11426: Aug 12 19:03:09.294 ARG:
%SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
105.91(0), 1 packet
Aug 12 18:03:10 cli-border 11427: Aug 12 19:03:10.046 ARG:
%SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.64.144.11 -> 200.45.105
.91 (0/0), 1 packet
Aug 12 18:03:12 cli-border 11428: Aug 12 19:03:11.046 ARG: %SEC-6-IPACCESSLO
GDP: list atacan denied icmp 209.215.160.55 -> 200.45.10
5.91 (0/0), 1 packet


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: