----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Tuesday, March 25, 2003 9:17 AM Subject: Re: Al Jazeera DOSed or just lots of traffic : : On Mon, 24 Mar 2003, james wrote: : > : It was DDoSed even the nameservers routes were null due to the DDoS huge : > : size. : > : > I noticed today that a traceroute to this host from my network exited : > at 4 or 5 hops on west coast at a major providers network. : : Its common for popular web sites to locate their major servers : topologically in the network away from their organization's geographic : location. For example, the BBC (a UK organization) has web servers : in New York City. So it doesn't surprise me to see Al Jezeera's web : servers connected through New Jersey. : : Al Jazeera's main web site (64.106.198.10) is still very slow, but I can : get to their english language web site on the same subnet (64.106.198.16). : So its acting more like a overloaded web server than a DDOS. But I don't : have any special insight into Al Jazeera's network. I tried to traceroute it from Level3 looking Glass yesterday when it was down http://www.l3.com/LookingGlass/ and I got this: Traceroute From Traceroute To New York, NY www.aljazeera.net Domain name lookup for 'www.aljazeera.net' failed. Exiting. Beside I called the Tech guys in AlJazeera and told me they are working with opentransit and DataPipe to stop the attack ASAP. I tried to did nslookup using ALJNS1SA.NAV-LINK.NET 217.26.193.15 ALJNS1HB.DATAPIPE.COM 64.106.198.4 But none did work, and the route to 217.26.193.15 was nulled and I couldn't run traceroute to 64.106.198.4 maybe DataPipe was filtering the ICMP And the UDP to that IP it was dieing within DataPipe network. route-server>traceroute 64.106.198.4 Type escape sequence to abort. Tracing the route to aljns1hb.datapipe.com (64.106.198.4) 1 white_dwarf.cbbtier3.att.net (12.0.1.1) [AS 7018] 0 msec 200 msec 4 msec 2 ar3.n54ny.ip.att.net (12.126.0.30) [AS 7018] 204 msec 200 msec 204 msec 3 gbr1-a30s10.n54ny.ip.att.net (12.127.5.142) [AS 7018] 204 msec 204 msec 4 msec 4 tbr1-p013202.n54ny.ip.att.net (12.122.11.1) [AS 7018] 204 msec 204 msec 200 msec 5 gar4-p300.n54ny.ip.att.net (12.123.3.2) [AS 7018] 200 msec 200 msec 204 msec 6 att-gw.ny.qwest.net (192.205.32.170) [AS 7018] 200 msec 204 msec 200 msec 7 jfk-core-02.inet.qwest.net (205.171.230.22) [AS 209] 200 msec 4 msec 200 msec 8 ewr-core-01.inet.qwest.net (205.171.8.245) [AS 209] 200 msec 204 msec 204 msec 9 ewr-cntr-01.inet.qwest.net (205.171.17.146) [AS 209] 204 msec 200 msec 208 msec 10 msfc-24.ewr.qwest.net (63.146.100.66) [AS 209] 208 msec 200 msec 204 msec 11 * * * 12 vlan11.aggr2.ewr.datapipe.net (64.106.128.6) [AS 14492] 0 msec 4 msec 0 msec 13 * * * 14 * * * Thanks, -A