nanog mailing list archives

Re: Tracing where it started

From: Clayton Fiske <clay () bloomcounty org>
Date: Sat, 25 Jan 2003 10:14:07 -0800


On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:

It might be interesting if some people were to post when they received
their first attack packet, and where it came from, if they happened to
be logging. 

Here is the first packet we logged:
Jan 25 00:29:37 EST 216.66.11.120


Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN

All from 206.176.210.74, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).

After that, I saw nothing until the storm started last night from many
different source IPs, which was at Jan 24 21:31:53 PST for me.

-c

Current thread:

Tracing where it started Phil Rosenthal (Jan 25)
- Re: Tracing where it started Clayton Fiske (Jan 25)
  - Re: Tracing where it started Pete Ashdown (Jan 25)
    - Re: Tracing where it started Alex Rubenstein (Jan 25)
    - Message not available
    - Re: Tracing where it started Daniel Senie (Jan 25)
  - Re: Tracing where it started Travis Pugh (Jan 25)
    - Re: Tracing where it started Johannes Ullrich (Jan 25)
    - Re: Tracing where it started Alex Rubenstein (Jan 25)
    - Re: Tracing where it started Mike Leber (Jan 25)
    - Re: Tracing where it started Scott Granados (Jan 25)
    - Re: Tracing where it started Johannes Ullrich (Jan 26)
    - mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 26)

(Thread continues...)