We are seing long SMURF attack against the address 193.124.51.206. I ask everyone who read this list and can check traffic over his network to check if he see ICMP packets FROM 193.124.51.206 (SRC address) TO 129.72/16, 129.74/16 etc... I don't think it's impossible to localise the intruder if he hold this crazy program for so long (more than 6 hours). All it's nessesary to trace is the frauded packets with the SRC address 193.124.51.206/32 and DST addresses from the black list described here a few days ago. What does we seen now is: Apr 16 20:31:49 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 130.34.195.1 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:50 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.115.201.88 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:51 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.74.90.51 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:52 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.72.4.38 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:53 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 134.57.7.220 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:54 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 128.139.221.1 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:55 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 148.81.230.253 -> 193. etc etc... This is echo-reply packets, and this means there exists ECHO-REQUEST packets sended by intruder. On Thu, 16 Apr 1998, Sam Critchley wrote:
Date: Thu, 16 Apr 1998 17:06:25 +0100 (BST) From: Sam Critchley <samc@uk.uu.net> To: administrator@lamere.net Cc: nanog@merit.edu Subject: Re: Private routes advertised
Hello,
I've forwarded this to the UUNET NOC. You can call them on 1-800-900-0241 as well.
Thanks,
Sam Critchley
On Thu, 16 Apr 1998 administrator@lamere.net wrote:
Hello, alter.net is advertising private routes 192.168.nnn.nnn. who do I contact to get that shutdown?
Here is the traceroute on it.
[C:\]tracerte 192.168.2.5 0 lamere-r1.lamere.net (206.249.60.1) 8 ms 8 ms 0 ms 1 lamere-r1.lamere.net (206.249.60.1) 0 ms 0 ms 0 ms 2 206.249.57.241 (206.249.57.241) 8 ms 0 ms 0 ms 3 loki.wordwrap.net (206.249.56.1) 0 ms 7 ms 0 ms 4 bbr2-s401-wordwrap.ctel.net (208.221.76.165) 8 ms 203 ms 180 ms 5 905.Hssi2-0.GW1.BOS1.ALTER.NET (157.130.4.25) 31 ms 156 ms 234 ms 6 123.ATM2-0-0.XR2.BOS1.ALTER.NET (146.188.176.238) 8 ms 24 ms 15 ms 7 190.ATM10-0-0.XR2.EWR1.ALTER.NET (146.188.176.153) 32 ms 85 ms 32 ms 8 100.ATM10-0-0.TR2.EWR1.ALTER.NET (146.188.176.90) 39 ms 31 ms 23 ms 9 105.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.189) 24 ms 23 ms 24 ms 10 198.ATM8-0-0.XR2.TCO1.ALTER.NET (146.188.161.185) 32 ms 23 ms 24 ms 11 192.ATM1-0-0.GW2.TCO1.ALTER.NET (146.188.160.53) 31 ms 32 ms 23 ms 12 quantum-gw.customer.alter.net (157.130.34.170) 31 ms 31 ms 39 ms 13 192.168.4.1 (192.168.4.1) 86 ms * 93 ms 14 192.168.10.2 (192.168.10.2) 94 ms 94 ms 93 ms 15 192.168.11.23 (192.168.11.23) 94 ms 86 ms 125 ms 16 192.168.2.5 (192.168.2.5) 93 ms *
Curtis
-- ----------------------------------------------------------- Curtis Maurand System Administrator lamere.net Business Center We'll get you Wired. administrator@lamere.net -----------------------------------------------------------
**************************************** Sam Critchley International Systems Engineer UUNET samc@UU.net Tel: (+44) 1223 250444 ****************************************
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)