Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now. -hc Joel Perez wrote:
My firewalls are going nuts with hits on UDP port 1434 also from everywhere!
-----Original Message----- From: Aaron Burnett [mailto:listkeep@yet-another.com] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
Of the customers I've had to shut off for being DOS targets, all are windows boxen. Perhaps there is a new windows exploit? Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of hc Sent: Friday, January 24, 2003 11:39 PM To: Joel Perez Cc: Aaron Burnett; Alex Rubenstein; nanog@merit.edu Subject: Re: Level3 routing issues? Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now. -hc Joel Perez wrote:
My firewalls are going nuts with hits on UDP port 1434 also from everywhere!
-----Original Message----- From: Aaron Burnett [mailto:listkeep@yet-another.com] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple
hours, all kinds
of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.ht ml
We are seeing this on ports all across out network -- nearly
1/2 our ports
are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
Really bad. Quick capture of filter drops: PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP space)/1434 dropped On Sat, 25 Jan 2003, hc wrote:
Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now.
-hc
Joel Perez wrote:
My firewalls are going nuts with hits on UDP port 1434 also from everywhere!
-----Original Message----- From: Aaron Burnett [mailto:listkeep@yet-another.com] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours,
all kinds
of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2
our ports
are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
Really, really bad - most traffic I see is from this virus/dos: Extended IP access list 152 deny udp any any eq 1434 (5639464 matches) - 94% permit ip any any (311888 matches) - 6% Wow!!! On Fri, 24 Jan 2003 michael@aplatform.com wrote:
Really bad. Quick capture of filter drops:
PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP space)/1434 dropped
On Sat, 25 Jan 2003, hc wrote:
Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now.
-hc
Joel Perez wrote:
My firewalls are going nuts with hits on UDP port 1434 also from everywhere!
-----Original Message----- From: Aaron Burnett [mailto:listkeep@yet-another.com] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours,
all kinds
of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2
our ports
are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
What I'm seeing from on my personal network connections is a lot of traffic to udp port 1434 start at 05:30:08 UTC. The sources appear very widespread, but I'm also seeing different affects on networks. Some backbones are being hit extremely hard, while others are just moderately impacted. I haven't figured out if it is a customer base difference, or if the worm is targetting. I haven't been willing to sacrafice one of my personal computers to the cause, so I don't know what's in the payload. According to Matrix Systems, there was about a 10% drop over the next 30 minutes. Keynote's data shows several backbones impacted. BGP and DNS appear to be holding up more or less, but g.root-servers.net has left the building (may be self-inflected withdrawal). Cable & Wireless's sla.cw.net show no impact on their network. UUNET's network status web site says Normal. Earthlink's network status web site shows various maintenance activity. SBC's network status web site says dial and dsl is Impaired. I can't reach www.sprint.net. AT&T's network status is unavailable while service enhancement is being performed.
What I'm seeing from on my personal network connections is a lot of traffic to udp port 1434 start at 05:30:08 UTC.
I did some graphing of reports we got to DShield/ISC up to 9am EST. http://isc.sans.org/port1434start.gif The part that amazes me is the speed. It saturated within 1 minute! Does anybody else see the oscillations in traffic? I remember seeing something similar in netflow data for slapper (2002 udp). Or is this just an artifact of our particular dataset? So far, we got about 80,000 sources (distinct IPs sending port 1434 packets) -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
On Sat, 25 Jan 2003, Johannes Ullrich wrote: : : : > What I'm seeing from on my personal network connections is a lot of : > traffic to udp port 1434 start at 05:30:08 UTC. : : I did some graphing of reports we got to DShield/ISC up to 9am EST. : http://isc.sans.org/port1434start.gif : : The part that amazes me is the speed. It saturated within 1 minute! Maybe they read "How to Own the Internet in Your Spare Time?" :-) scott : Does anybody else see the oscillations in traffic? I remember seeing : something similar in netflow data for slapper (2002 udp). Or is this : just an artifact of our particular dataset? : : So far, we got about 80,000 sources (distinct IPs sending port 1434 : packets) : : : : -- : -------------------------------------------------------------------- : jullrich@euclidian.com Collaborative Intrusion Detection : join http://www.dshield.org :
Same here. One particular GigE port with a bunch of M$ servers on it pegged at precisely 998 mbps. Lovely.
Really bad. Quick capture of filter drops:
PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP space)/1434 dropped
On Sat, 25 Jan 2003, hc wrote:
Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now.
-hc
Joel Perez wrote:
My firewalls are going nuts with hits on UDP port 1434 also from everywhere!
-----Original Message----- From: Aaron Burnett [mailto:listkeep@yet-another.com] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours,
all kinds
of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html>> > >
We are seeing this on ports all across out network -- nearly 1/2
our ports
are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
-- Grant A. Kirkwood - grant(at)tnarg.org Fingerprint = D337 48C4 4D00 232D 3444 1D5D 27F6 055A BF0C 4AED
participants (8)
-
Christopher J. Wolff -
Grant A. Kirkwood -
hc -
Johannes Ullrich -
michael@aplatform.com -
Scott Weeks -
Sean Donelan -
william@elan.net