Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks! -hc
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? I will dig more to look at the traffic. On Sat, 25 Jan 2003, hc wrote:
Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks!
-hc
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment... Any speculation yet? Kind of an odd coincidence of problems... Oh, just got through...fiber cut in DC? Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Same here... My connecion with AADS has doubled in traffic, and everything else. I've doubled my network traffic since 11:30ish PM CST... If anyone has an idea of whats going on... AS5006 is where I'm at. -Eric On Sat, 25 Jan 2003, Andy Dills wrote:
Date: Sat, 25 Jan 2003 01:37:29 -0500 (EST) From: Andy Dills <andy@xecu.net> To: Alex Rubenstein <alex@nac.net> Cc: hc <haesu@towardex.com>, "nanog@merit.edu" <nanog@merit.edu> Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment...
Any speculation yet? Kind of an odd coincidence of problems...
Oh, just got through...fiber cut in DC?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
MSSQL worm/DDOS/Exploit on UDP/1434 A bunch of us are blocking UDP/1434 destinations. http://www.nextgenss.com/advisories/mssql-udp.txt Larry Rosenman Internet America/PDQ.NET/neosoft.com AS4278/AS3764 --On Saturday, January 25, 2003 02:15:59 -0500 Eric Whitehill <eric@botbay.net> wrote:
Same here...
My connecion with AADS has doubled in traffic, and everything else.
I've doubled my network traffic since 11:30ish PM CST...
If anyone has an idea of whats going on...
AS5006 is where I'm at.
-Eric
On Sat, 25 Jan 2003, Andy Dills wrote:
Date: Sat, 25 Jan 2003 01:37:29 -0500 (EST) From: Andy Dills <andy@xecu.net> To: Alex Rubenstein <alex@nac.net> Cc: hc <haesu@towardex.com>, "nanog@merit.edu" <nanog@merit.edu> Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865 .html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment...
Any speculation yet? Kind of an odd coincidence of problems...
Oh, just got through...fiber cut in DC?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
Yup - got that. I sent my post to nanog quite a while ago. Unfortunetly, it took a little while to come to life. :) Gee, I wonder why? We're doing some really cool blocking now. Now its time to get the custoemrs to secure their boxen. :) -Eric On Sat, 25 Jan 2003, Larry Rosenman wrote:
Date: Sat, 25 Jan 2003 03:44:39 -0600 From: Larry Rosenman <ler@lerctr.org> To: Eric Whitehill <eric@botbay.net>, Andy Dills <andy@xecu.net> Cc: Alex Rubenstein <alex@nac.net>, hc <haesu@towardex.com>, "nanog@merit.edu" <nanog@merit.edu> Subject: Re: Level3 routing issues?
MSSQL worm/DDOS/Exploit on UDP/1434
A bunch of us are blocking UDP/1434 destinations.
http://www.nextgenss.com/advisories/mssql-udp.txt
Larry Rosenman Internet America/PDQ.NET/neosoft.com AS4278/AS3764
--On Saturday, January 25, 2003 02:15:59 -0500 Eric Whitehill <eric@botbay.net> wrote:
Same here...
My connecion with AADS has doubled in traffic, and everything else.
I've doubled my network traffic since 11:30ish PM CST...
If anyone has an idea of whats going on...
AS5006 is where I'm at.
-Eric
On Sat, 25 Jan 2003, Andy Dills wrote:
Date: Sat, 25 Jan 2003 01:37:29 -0500 (EST) From: Andy Dills <andy@xecu.net> To: Alex Rubenstein <alex@nac.net> Cc: hc <haesu@towardex.com>, "nanog@merit.edu" <nanog@merit.edu> Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865 .html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment...
Any speculation yet? Kind of an odd coincidence of problems...
Oh, just got through...fiber cut in DC?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Internap has posted an alert noting widespread latency and packetloss affecting all their pnaps. Any SQL Server host at my facilily shows an enourmous traffic spike at the times below. We've begun filtering udp port 1434 in/out. ----- Original Message ----- From: "Andy Dills" <andy@xecu.net> To: "Alex Rubenstein" <alex@nac.net> Cc: "hc" <haesu@towardex.com>; <nanog@merit.edu> Sent: Friday, January 24, 2003 10:37 PM Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all
of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our
kinds ports
are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment...
Any speculation yet? Kind of an odd coincidence of problems...
Oh, just got through...fiber cut in DC?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
We just had a box inside one of my customers networks start sending tons of small packets not sure what kind yet. On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
On Sat, 25 Jan 2003, hc wrote:
Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks!
-hc
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
We are also seeing this traffic at AS4436. Appears to be coming from IP addresses all over the space. Here's a box that traps all of 165.227.0.0/16: 23:08:13.257197 165.194.123.131.1227 > 165.227.92.176.1434: udp 376 23:08:13.259778 129.187.150.78.2667 > 165.227.84.186.1434: udp 376 23:08:13.276695 61.40.143.242.3794 > 165.227.21.48.1434: udp 376 23:08:13.284191 128.218.133.213.1078 > 165.227.198.96.1434: udp 376 23:08:13.286648 169.229.141.44.1065 > 165.227.255.90.1434: udp 376 23:08:13.294512 218.232.109.22.3302 > 165.227.146.129.1434: udp 376 23:08:13.300412 137.79.10.100.2478 > 165.227.5.230.1434: udp 376 23:08:13.302869 128.143.100.86.1397 > 165.227.41.248.1434: udp 376 23:08:13.317327 203.226.64.220.3081 > 165.227.216.188.1434: udp 376 23:08:13.319908 209.41.170.8.4033 > 165.227.252.85.1434: udp 376 23:08:13.322365 64.71.177.201.2439 > 165.227.128.21.1434: udp 376 23:08:13.327937 216.120.60.154.3005 > 165.227.125.156.1434: udp 376 23:08:13.330435 64.239.145.3.3231 > 165.227.4.161.1434: udp 376 23:08:13.333016 204.228.229.106.4049 > 165.227.238.69.1434: udp 376 23:08:13.335350 212.209.231.186.52703 > 165.227.38.136.1434: udp 376 23:08:13.337930 207.46.200.162.2343 > 165.227.96.170.1434: udp 376 23:08:13.340388 61.178.83.30.4525 > 165.227.77.119.1434: udp 376 23:08:13.342887 62.250.16.28.1385 > 165.227.119.91.1434: udp 376 23:08:13.345468 66.155.116.10.1041 > 165.227.106.35.1434: udp 376 23:08:13.362506 207.226.255.124.2331 > 165.227.189.42.1434: udp 376 23:08:13.364964 63.241.139.196.1150 > 165.227.135.221.1434: udp 376 23:08:13.367422 66.109.239.200.1117 > 165.227.67.250.1434: udp 376 23:08:13.370042 194.100.187.36.2342 > 165.227.103.27.1434: udp 376 23:08:13.372501 158.38.141.86.3269 > 165.227.239.113.1434: udp 376 23:08:13.374959 212.71.66.23.2019 > 165.227.232.118.1434: udp 376 23:08:13.377417 158.38.141.65.1382 > 165.227.169.58.1434: udp 376 23:08:13.379915 130.127.8.157.2980 > 165.227.107.122.1434: udp 376 23:08:13.382496 207.46.200.146.2718 > 165.227.49.107.1434: udp 376 23:08:13.386100 80.237.200.171.1198 > 165.227.93.216.1434: udp 376 23:08:13.388557 64.71.180.135.1915 > 165.227.38.41.1434: udp 376 23:08:13.394660 211.117.60.188.2806 > 165.227.49.12.1434: udp 376
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Scott Granados Sent: Friday, January 24, 2003 10:41 PM To: Alex Rubenstein Cc: hc; nanog@merit.edu Subject: Re: Level3 routing issues?
We just had a box inside one of my customers networks start sending tons of small packets not sure what kind yet.
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic.
like, customers who never get attacked or anything, all of a sudden:
http://mrtg.nac.net/switch9.oct.nac.net/3865/s> witch9.oct.nac.net-3865.
html
We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now.
Anyone else?
I will dig more to look at the traffic.
On Sat, 25 Jan 2003, hc wrote:
Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks!
-hc
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
participants (9)
-
Aaron Burnett
-
Alex Rubenstein
-
Andy Dills
-
Eric Whitehill
-
hc
-
Larry Rosenman
-
Matthew Kaufman
-
matthew zeier
-
Scott Granados