Just to add to this. We noticed a sudden burst and terminated ports to customers infected as well. I never noticed anything odd from HE and we also applied 1434 blocks very quickly. Thankfully, our most infected customer crashed his internal core and took him off line anyway:). ----- Original Message ----- From: "Mike Leber" <mleber@he.net> To: "Alex Rubenstein" <alex@nac.net> Cc: "Johannes Ullrich" <jullrich@euclidian.com>; "Travis Pugh" <tdp@discombobulated.net>; <nanog@merit.edu> Sent: Saturday, January 25, 2003 10:17 PM Subject: Re: Tracing where it started
On Sun, 26 Jan 2003, Alex Rubenstein wrote:
+-----------------+ | 216.069.032.086 | Kentucky Community and Technical College System | 066.223.041.231 | Interland | 216.066.011.120 | Hurricane Electric | 216.098.178.081 | V-Span, Inc. +-----------------+
HE.net seems to be a reoccuring theme. (I speak to evil of them -- actually, there are some good people over there).
However, it appears that one of the 'root' boxes of this attack was at
HE.
This is the third or fourth time I've seen theit netblocks mentioned as the source of some of the first packets.
Looking at the router traffic graphs for the east and west coast the attack started at the same time just before 9:30 PST or 12:30 EST. I'm sure the owners of some of the infected boxes would be able to give a better chronology based on when their logs for other services (i.e. HTTP) they might have been running stopped.
After looking at flow stats and figuring out that this wasn't an attack by a single compromised box we blocked udp port 1434 on several of our core routers. We then went back and contacted customers whose IPs showed up in our flow stats. Some where reachable and coordinated with our support to disconnect their MSSQL servers or otherwise shutdown MSSQL. We then went through all our customer aggregation switches looking for ports that had the pattern of the attack, i.e. 25000 pps inbound to our switch, 10 packets outbound on a 100 Mbps port. We shutdown about 7 customer ports in New York and about 16 in California. These customers were contacted and the majority of them have patched their machines, a few are still off.
Some Hurricane sites like our San Jose site were unaffected (no change from normal traffic levels) indicating any Windows users there had previously patched.
Mike.
+----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+