nanog mailing list archives
Re: Denial of service attacks apparently from UUNET Netblocks
From: Karl Denninger <karl () mcs net>
Date: Tue, 7 Oct 1997 06:52:20 -0500
No. This was a transmission of 1K packets and was not in the style of any previously-seen attack that I'm aware of. Its a new thing. There was no attempt to SYN flood, or hit broadcast addresses, or use source-routing. All of that is protected against fairly well here. This was a simple "the machines are on a 10Mbps pipe, so hit them with 30Mbps of traffic and flood their NIC ports to the point that they're useless". -- -- Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal On Tue, Oct 07, 1997 at 07:01:34AM -0400, Dan Foster wrote:
Hot Diggety! Doug Davis was rumored to have said...19:56:56.854432 snap 0:0:0:8:0 37.31.237.183.1900 > 206.66.14.112.57039: S 674719801:674719801(0) win 65535 (ttl 21, id 13333) 19:56:56.854432 snap 0:0:0:8:0 76.167.191.100.1900 > 206.66.14.112.57040: S 674719801:674719801(0) win 65535 (ttl 21, id 13334) 19:56:56.854432 snap 0:0:0:8:0 131.254.10.213.1900 > 206.66.14.112.57041: S 674719801:674719801(0) win 65535 (ttl 21, id 13335) 19:56:56.855409 snap 0:0:0:8:0 74.60.41.73.1900 > 206.66.14.112.57042: S 674719801:674719801(0) win 65535 (ttl 21, id 13336)Ouch...painful. A whole lot of SYNs with forged source address, eh? Hmm... interesting. Karl, if I might ask - did your attack originate from any specific port, like 1900 as is listed here? I'm just curious since I'd like to get a rough idea if there's some program other than smurf.c out there that makes use of a specific port by default, or if this is just a one time occurence by a few separate idiots. And as usual, thanks for the heads up from folks on NANOG. -Dan Foster Frontier Internet Internet: dsf () frontiernet net
Current thread:
- Re: Denial of service attacks apparently from UUNET Netblocks, (continued)
- Re: Denial of service attacks apparently from UUNET Netblocks John A. Tamplin (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Greg A. Woods (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks David Lesher (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks David Lesher (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Brett Frankenberger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Dan Foster (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Karl Denninger (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Joe Shaw (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Sharif Torpis (Oct 07)
- Re: Denial of service attacks apparently from UUNET Netblocks Dale Drew (Oct 08)
- Re: Denial of service attacks apparently from UUNET Netblocks Alex "Mr. Worf" Yuriev (Oct 07)