nanog mailing list archives

Previous By Date Next
Previous By Thread Next

DDoS tracking / accounting tools

From: Mike Tancsa <mike () sentex net>
Date: Sun, 08 Jun 2003 18:33:50 -0400
It appears someone started a DDoS (~ 500 hosts involved) attack against a customer IP in our network this morning at 6am EDT (~ 250Mb/s coming in on 3 links). None of the IP addresses are spoofed as there is a fixed set of about 500 hundred and all are coming in via paths that make sense from a bgp perspective. Also doing a quick sample of the ones still blasting at me across my private peers that have not null routed the /32 its clear that they are still pushing out packets as quick as possible judging by response times from those hosts. I now want to contact the individual network abuse departments of said networks so that they can take appropriate action against the 'owned' hosts involved. Does anyone know of or have a tool that can quickly take a list of IP addresses and summarize / generate the appropriate network contact info ? What about a tool to quickly summarize by AS ?
Doing a quick random sample of the hosts involved 6 out of 10 were all windows type boxes and 4 had no ports open or were either firewalled or behind some home router. The boxes all seem to be blasting out packets 445 bytes long and the protocol appears to be randomized in the header
09:35:57.243330 0:a:f3:a5:c8:bc 0:d0:b7:27:55:43 ip 459: 211.135.33.199 > 64.7.138.8: ip-proto-253 425 (ttl 109, id 9477, len 445) 
0x0000   4500 01bd 2505 0000 6dfd 66e1 d387 21c7        E...%...m.f...!.
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0050   0000
and
                  ..
18:23:59.553908 0:4:de:56:d:80 0:1:80:38:46:37 ip 459: h24-77-1-84.gv.shawcable.net > 64.7.138.8: icmp: echo reply 
0x0000   4500 01bd 74e3 0000 7801 e8ac 184d 0154        E...t...x....M.T
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
18:28:32.069714 0:4:de:56:d:80 0:1:80:38:46:37 0800 459: 24.77.1.84 > 64.7.138.8: truncated-udplength 0 (ttl 120, id 15668, len 44 
5)
0x0000   4500 01bd 3d34 0000 7811 204c 184d 0154        E...=4..x..L.M.T
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
Anyone recognize this DOS signature ? trinity v3 seems to have these capabilities but I have not seen it mentioned in some time... An oldie but a goodie, or something new ? 


        ---Mike
--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike () sentex net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike
Previous By Date Next
Previous By Thread Next

Current thread: