It appears someone started a DDoS (~ 500 hosts involved) attack against a customer IP in our network this morning at 6am EDT (~ 250Mb/s coming in on 3 links). None of the IP addresses are spoofed as there is a fixed set of about 500 hundred and all are coming in via paths that make sense from a bgp perspective. Also doing a quick sample of the ones still blasting at me across my private peers that have not null routed the /32 its clear that they are still pushing out packets as quick as possible judging by response times from those hosts. I now want to contact the individual network abuse departments of said networks so that they can take appropriate action against the 'owned' hosts involved. Does anyone know of or have a tool that can quickly take a list of IP addresses and summarize / generate the appropriate network contact info ? What about a tool to quickly summarize by AS ? Doing a quick random sample of the hosts involved 6 out of 10 were all windows type boxes and 4 had no ports open or were either firewalled or behind some home router. The boxes all seem to be blasting out packets 445 bytes long and the protocol appears to be randomized in the header 09:35:57.243330 0:a:f3:a5:c8:bc 0:d0:b7:27:55:43 ip 459: 211.135.33.199 > 64.7.138.8: ip-proto-253 425 (ttl 109, id 9477, len 445) 0x0000 4500 01bd 2505 0000 6dfd 66e1 d387 21c7 E...%...m.f...!. 0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @............... 0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 and .. 18:23:59.553908 0:4:de:56:d:80 0:1:80:38:46:37 ip 459: h24-77-1-84.gv.shawcable.net > 64.7.138.8: icmp: echo reply 0x0000 4500 01bd 74e3 0000 7801 e8ac 184d 0154 E...t...x....M.T 0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @............... 0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 18:28:32.069714 0:4:de:56:d:80 0:1:80:38:46:37 0800 459: 24.77.1.84 > 64.7.138.8: truncated-udplength 0 (ttl 120, id 15668, len 44 5) 0x0000 4500 01bd 3d34 0000 7811 204c 184d 0154 E...=4..x..L.M.T 0x0010 4007 8a08 0000 0000 0000 0000 0000 0000 @............... 0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ Anyone recognize this DOS signature ? trinity v3 seems to have these capabilities but I have not seen it mentioned in some time... An oldie but a goodie, or something new ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike