On Sun, 26 Jan 2003, Alex Rubenstein wrote:
+-----------------+ | 216.069.032.086 | Kentucky Community and Technical College System | 066.223.041.231 | Interland | 216.066.011.120 | Hurricane Electric | 216.098.178.081 | V-Span, Inc. +-----------------+
HE.net seems to be a reoccuring theme. (I speak to evil of them -- actually, there are some good people over there).
However, it appears that one of the 'root' boxes of this attack was at HE. This is the third or fourth time I've seen theit netblocks mentioned as the source of some of the first packets.
Looking at the router traffic graphs for the east and west coast the attack started at the same time just before 9:30 PST or 12:30 EST. I'm sure the owners of some of the infected boxes would be able to give a better chronology based on when their logs for other services (i.e. HTTP) they might have been running stopped. After looking at flow stats and figuring out that this wasn't an attack by a single compromised box we blocked udp port 1434 on several of our core routers. We then went back and contacted customers whose IPs showed up in our flow stats. Some where reachable and coordinated with our support to disconnect their MSSQL servers or otherwise shutdown MSSQL. We then went through all our customer aggregation switches looking for ports that had the pattern of the attack, i.e. 25000 pps inbound to our switch, 10 packets outbound on a 100 Mbps port. We shutdown about 7 customer ports in New York and about 16 in California. These customers were contacted and the majority of them have patched their machines, a few are still off. Some Hurricane sites like our San Jose site were unaffected (no change from normal traffic levels) indicating any Windows users there had previously patched. Mike. +----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+