Here are the first ten minutes of packets that one of my firewalls intercepted: (PST Times) Jan 24 21:32:19: UDP Drop SRC=211.205.179.133 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=22340 PROTO=UDP SPT=1739 DPT=1434 LEN=384 Jan 24 21:32:54: UDP Drop SRC=128.122.40.59 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=1366 PROTO=UDP SPT=1086 DPT=1434 LEN=384 Jan 24 21:33:11: UDP Drop SRC=141.142.65.14 LEN=404 TOS=0x00 PREC=0x00 TTL=113 ID=28703 PROTO=UDP SPT=1896 DPT=1434 LEN=384 Jan 24 21:38:54: UDP Drop SRC=211.57.70.131 LEN=404 TOS=0x00 PREC=0x00 TTL=102 ID=9940 PROTO=UDP SPT=1654 DPT=1434 LEN=384 Jan 24 21:39:34: UDP Drop SRC=202.96.108.140 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=17122 PROTO=UDP SPT=4742 DPT=1434 LEN=384 Jan 24 21:41:40: UDP Drop SRC=200.162.192.22 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=21153 PROTO=UDP SPT=3121 DPT=1434 LEN=384 Jan 24 21:41:51: UDP Drop SRC=64.70.191.74 LEN=404 TOS=0x00 PREC=0x00 TTL=109 ID=46498 PROTO=UDP SPT=1046 DPT=1434 LEN=384 Jan 24 21:42:06: UDP Drop SRC=129.242.210.240 LEN=404 TOS=0x00 PREC=0x00 TTL=107 ID=2336 PROTO=UDP SPT=1574 DPT=1434 LEN=384 I checked, and none of these source addresses had sent any visible probes into my network within the prior month. The really weird thing is that while I was interactively watching router logs I saw a bunch of packets where neither the SRC nor DST were within my network. I looked up the MAC address of the packets, and they seemed to be coming from a client colocated box (apparently un-firewalled Linux). I wonder if there was a worm that spread previous to the attack to seed/start the attack by sending spoofed attack packets to a large list of known vulnerable servers. It does make sense though that the origin packets would have all been spoofed. Unfortunately I can't find any items like that in my log files. -Steve On Sun, Jan 26, 2003 at 12:09:33AM -0500, Alex Rubenstein eloquently stated:
+-----------------+ | 216.069.032.086 | Kentucky Community and Technical College System | 066.223.041.231 | Interland | 216.066.011.120 | Hurricane Electric | 216.098.178.081 | V-Span, Inc. +-----------------+
HE.net seems to be a reoccuring theme. (I speak to evil of them -- actually, there are some good people over there).
However, it appears that one of the 'root' boxes of this attack was at HE. This is the third or fourth time I've seen theit netblocks mentioned as the source of some of the first packets.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
-- Stephen Milton - Vice President (425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services (425) 869-9437 Fax milton@isomedia.com http://www.isomedia.com