nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracing where it started

From: "Travis Pugh" <tdp () discombobulated net>
Date: Sat, 25 Jan 2003 17:32:17 -0500


According to Clayton Fiske:


Interestingly, looking through my logs for UDP 1434, I saw a

sequential

scan of my subnet like so:

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33

IN

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33

IN

Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33

IN


All from 206.176.210.74, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).

After that, I saw nothing until the storm started last night from

many

different source IPs, which was at Jan 24 21:31:53 PST for me.


Ditto on the sequential scan well before the actual action, except
that mine came on Jan. 19th:

Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
...
...

The scan went across several subnets I manage inside 209.67.0.0
serially.  My sources were all from 67.8.33.179, all source port 1.
The actual worm propagation began to hit my logs at 00:28:16 EST Jan
25.

Cheers.

-travis
Previous By Date Next
Previous By Thread Next

Current thread: