DOS Attacks and reliable network contact data.
I've seen an increase in DOS attacks over the past week or so, of a form I really haven't encountered before. Below are some logs. 22:30:52.821705 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack 1062615418 win 0 22:30:52.821956 202.172.120.255.80 > 205.133.127.30.6667: R 0:0(0) ack 3046052966 win 0 22:30:52.822208 168.17.227.0.80 > 205.133.127.30.6667: S 21259901:21259901(0) ack 1412091198 win 2144 <mss 536> 22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack 2473479669 win 0 22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack 529389642 win 0 22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127 win 9112 (DF) 22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack 1362286194 win 0 Lots and lots of TCP ACK's from broadcast addresses. Looks like a new kind of indirect SYN/ACK flood based on broadcast addresses. Which led me to sort through my logs and do my best to get the amps shut down, which led me to my current problem/gripe. Their exists no reliable way to get the contact of a network without first querying arin, then apnic, then the .jp registry for instance. This is a royal PITA and is in no way scriptable that I can see. Am I wrong? Does such a thing exist? What can we do bout these attacks. Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------
On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote:
21259901:21259901(0) ack 1412091198 win 2144 <mss 536> 22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack 2473479669 win 0 22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack 529389642 win 0 22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127 win 9112 (DF) 22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack 1362286194 win 0
We do get this sort of crap daily at least 5 times a day, distributed tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230 slave networks (in /24 format). Kids are after taking CPUs in routers out and not killing you with hundrends and hundreeds of Mbps, high-pps attacks are also very nasty, and of course everything is over some stupid IRC issue.
Their exists no reliable way to get the contact of a network without first querying arin, then apnic, then the .jp registry for instance. This is a royal PITA and is in no way scriptable that I can see.
What is neat is all those 'slaves' are spoofing inside their own /24 or whatever allocation they sit in, and it's very hard to persuade somebody to look into this as they claim those ip addresses are not in use or have only routers/switches and there is no way those devices could've generated a [d]DoS attack. -- Basil Kruglov [BK252-ARIN] Network Engineering and Security CIFNet, Inc.
We do get this sort of crap daily at least 5 times a day, distributed tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230 slave networks (in /24 format). Kids are after taking CPUs in routers out and not killing you with hundrends and hundreeds of Mbps, high-pps attacks are also very nasty, and of course everything is over some stupid IRC issue.
We have found two hacked Linux boxen (on customers boxes) recently that have been used as DDOS creators. Both were older (Redhat 6.0) and were well hacked, replacing ls,find,ps,login,wtmp.. etc... and they installed a small IRC proxy server (BNC ala bnc.com) and then some tools for sniffing and apparently creating DDOS. We were unable to find traces of the originating IP's in logs or other files. I saved some of the programs (t0rnD, stachel..)
On Sat, 21 Oct 2000, Jason Slagle wrote:
Their exists no reliable way to get the contact of a network without first querying arin, then apnic, then the .jp registry for instance. This is a royal PITA and is in no way scriptable that I can see.
Yes, there is. Use the Geektools whois proxy at whois.geektools.com. You can also get the perl source and setup your own proxy, since they only allow something like 10 or so queries a day. I've used their source in a few tools and have had no real problems with it. Of course, once the technological means are taken care of you still have to have reliable contact information in the database, and someone who'll actually read your complaint and respond in an acceptable amount of time. -- Joseph W. Shaw - jshaw@insync.net Sr. Security Specialist for <Big company not to be named>.
Yes, but even geektools falls flat on it's face for lets say 210.251.128.255. :sigh: I really wish we could get a common format for these. I really like the ripe style databases. Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Sun, 22 Oct 2000, Joe Shaw wrote:
Yes, there is. Use the Geektools whois proxy at whois.geektools.com. You can also get the perl source and setup your own proxy, since they only allow something like 10 or so queries a day. I've used their source in a few tools and have had no real problems with it.
Of course, once the technological means are taken care of you still have to have reliable contact information in the database, and someone who'll actually read your complaint and respond in an acceptable amount of time.
Ah, now I see the issue. That's insanely sparse on the information. Since I'm really quite ignorant in the area, who gives JPNIC the power to assign netblocks? APNIC I presume, after checking with APNIC's whois database. I guess there's no policy for standards and the like. How do things like standards get enforced amongst registry entities outside the US? -- Joseph W. Shaw - jshaw@insync.net Sr. Security Specialist for <Big company not to be named>. On Sun, 22 Oct 2000, Jason Slagle wrote:
Yes, but even geektools falls flat on it's face for lets say 210.251.128.255.
:sigh: I really wish we could get a common format for these.
I really like the ripe style databases.
Which JPNIC block? The original JPNIC delegation was from SRI, predating NSI, APNIC and ARIN. And no, there is no standard for whois data that is published, let alone publishing at all.
Ah, now I see the issue. That's insanely sparse on the information. Since I'm really quite ignorant in the area, who gives JPNIC the power to assign netblocks? APNIC I presume, after checking with APNIC's whois database. I guess there's no policy for standards and the like. How do things like standards get enforced amongst registry entities outside the US?
-- Joseph W. Shaw - jshaw@insync.net Sr. Security Specialist for <Big company not to be named>.
On Sun, 22 Oct 2000, Jason Slagle wrote:
Yes, but even geektools falls flat on it's face for lets say 210.251.128.255.
:sigh: I really wish we could get a common format for these.
I really like the ripe style databases.
At the risk of sounding entirely un-politically correct, is it possible to query whois.nic.ad.jp for actual contact information, vs. just company name? Color me frustrated, but, even with the "/e" extension, nic.ad.jp has been nearly useless for many moons. This strikes me as somewhat irresponsible. : Which JPNIC block? The original JPNIC delegation was from SRI, : predating NSI, APNIC and ARIN. And no, there is no standard for : whois data that is published, let alone publishing at all. : > : > Ah, now I see the issue. That's insanely sparse on the : > information. Since I'm really quite ignorant in the area, who gives JPNIC : > the power to assign netblocks? APNIC I presume, after checking with : > APNIC's whois database. I guess there's no policy for standards and the : > like. How do things like standards get enforced amongst registry entities : > outside the US? : > : > -- : > Joseph W. Shaw - jshaw@insync.net : > Sr. Security Specialist for <Big company not to be named>. : > : > On Sun, 22 Oct 2000, Jason Slagle wrote: : > : > > Yes, but even geektools falls flat on it's face for lets say : > > 210.251.128.255. : > > : > > :sigh: I really wish we could get a common format for these. : > > : > > I really like the ripe style databases.
Brian Wallingford wrote:
At the risk of sounding entirely un-politically correct, is it possible to query whois.nic.ad.jp for actual contact information, vs. just company name? Color me frustrated, but, even with the "/e" extension, nic.ad.jp has been nearly useless for many moons. This strikes me as somewhat irresponsible.
: > On Sun, 22 Oct 2000, Jason Slagle wrote: : > : > > Yes, but even geektools falls flat on it's face for lets say : > > 210.251.128.255.
$ whois -h whois.nic.ad.jp 210.251.128.255/e ALLNET(TITUS COMMUNICATIONS CORPORATION) ALLNET-CATV [210.251.128.0 <-> 210.251.143.255] 210.251.128.0-210.251.143.0 $ whois -h whois.nic.ad.jp 210.251.128.0-210.251.143.0/e Network Information: a. [Network Number] 210.251.128.0-210.251.143.0 b. [Network Name] ALLNET-CATV g. [Organization] ALLNET(TITUS COMMUNICATIONS CORPORATION) j. [Address] JBP OVAL 8F, 52-2, Jingumae 5-Chome,Shibuya-ku,Tokyo m. [Administrative Contact] YO020JP n. [Technical Contact] YO020JP p. [Nameserver] ns1.allnet.ne.jp p. [Nameserver] ns2.allnet.ne.jp y. [Reply Mail] hira@allnet.ad.jp [Assigned Date] 1999/05/17 [Return Date] [Last Update] 1999/05/17 15:55:20 (JST) hira@allnet.ad.jp Use the value in "[Reply Mail]". The other thing you can do is to involve JPCERT on security related issues. From http://www.first.org/team-info/ JPCERT/CC Japan Computer Emergency Response Team Coordination Center Constituency: Internet community in Japan Email: info@jpcert.or.jp Telephone: +81 3-5575-7762 (9am - 5pm Monday to Friday, JST (GMT+0900)) Fax: +81 3-5575-7764 Membership Type: Full member Last Verified: 25 May 1999 Regards, Kevin
On Sun, 22 Oct 2000, Brian Wallingford wrote:
At the risk of sounding entirely un-politically correct, is it possible to query whois.nic.ad.jp for actual contact information, vs. just company name? Color me frustrated, but, even with the "/e" extension, nic.ad.jp has been nearly useless for many moons. This strikes me as somewhat irresponsible.
It is entirely possibly to do such. As described earlier, look for the nic-handles that have been supplied in the JPNIC output, ie: a. [Network Number] 210.251.128.0-210.251.143.0 b. [Network Name] ALLNET-CATV m. [Administrative Contact] YO020JP <---- Then, perform a specific query for that nic-handle 'YO020JP', ie: $ whois -h whois.nic.ad.jp YO020JP/e a. [JPNIC Handle] YO020JP c. [Last, First] Oishi, Yuichi d. [E-Mail] oishi@allnet.ad.jp g. [Organization] TITUS COMMUNICATIONS CORPORATION (etc). The RIPE-style databases (RIPE, APNIC etc) provide you with the referenced nic-handles (if available) as part of the output, as seperate database objects. The NSI-style databases (NSI, ARIN etc) embed the contact information in the whois output, but you can (like other dbs, including JPNIC) request contact details specifically if you know the nic-handle. --==-- Bruce. Employed by, but not speaking for, APNIC.
: predating NSI, APNIC and ARIN. And no, there is no standard for : whois data that is published, let alone publishing at all. : > > : > > :sigh: I really wish we could get a common format for these. : > > I really like the ripe style databases.
I like ipw from the FreeBSD ports collection. In this case ipw returns several lines of useful information, including tech-c: YO020JP Then the next step is akbar% whois -h whois.nic.ad.jp YO020JP/e giving you the answer you seek. -bryan bradsby unix admin ================== On Sun, 22 Oct 2000, Jason Slagle wrote:
Yes, but even geektools falls flat on it's face for lets say 210.251.128.255.
:sigh: I really wish we could get a common format for these.
I really like the ripe style databases.
Jason
--- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------
On Sun, 22 Oct 2000, Joe Shaw wrote:
Yes, there is. Use the Geektools whois proxy at whois.geektools.com. You can also get the perl source and setup your own proxy, since they only allow something like 10 or so queries a day. I've used their source in a few tools and have had no real problems with it.
Of course, once the technological means are taken care of you still have to have reliable contact information in the database, and someone who'll actually read your complaint and respond in an acceptable amount of time.
Bryan Bradsby writes:
I like ipw from the FreeBSD ports collection.
Too bad the original source, against which the port was performed, isn't mirrored somewhere within freebsd.org, at least not that I could find.
In this case ipw returns several lines of useful information, including
tech-c: YO020JP
Yes, but that's only because ... remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to remarks: Japanese output, use the /e switch for English output) Had they not done so JPNIC itself doesn't appear to provide that detail ... $ whois -h whois.nic.ad.jp 210.251.138.255/e [whois.nic.ad.jp] [ JPNIC database provides information on network administration. Its use is ] [ restricted to network administration purposes. For further information, use ] [ 'whois -h whois.nic.ad.jp help'. To suppress Japanese output, add '/e' at ] [ the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] ALLNET(TITUS COMMUNICATIONS CORPORATION) ALLNET-CATV [210.251.128.0 <-> 210.251.143.255] 210.251.128.0-210.251.143.0 According to their "help" using a prefix character of % (percent sign) is supposed to "Expand the contact fileds or known sub-domains", yet ``whois -h whois.nic.ad.jp %210.251.138.255/e'' yields the same response.
participants (10)
-
Basil Kruglov -
bmanning@vacation.karoshi.com -
Brian Wallingford -
Bruce Campbell -
Bryan Bradsby -
Jason Slagle -
Joe Shaw -
Kevin Houle -
Mark Milhollan -
Quark Physics