Home page logo
/

nanog logo nanog mailing list archives

RE: DOS Attacks and reliable network contact data.
From: rdobbins () netmore net
Date: Sat, 21 Oct 2000 15:22:47 -0700



Port 6667 is used quite a bit for IRC traffic, FYI.

I think one of my customers got hit with 12mb/sec of this last night, too -
didn't do anything, as I've done all the usual stuff to avoid becoming an
amplifier.  It ran into ACLs in one of my MPLS-enabled switches, which
pretty much just ate it.  The attack was definitely distributed, because it
came in through two of my upstreams.

Based upon purely subjective experience, the info I get back from whois from
ARIN, APNIC, etc. has been looking more uniform, of late; I should think
that some good regexp might do the trick.

-----------------------------------------------------------
Roland Dobbins <rdobbins () netmore net> // 818.535.5024 voice 

-----Original Message-----
From: Jason Slagle [mailto:raistlin () tacorp net]
Sent: Saturday, October 21, 2000 2:15 PM
To: nanog () nanog org
Subject: DOS Attacks and reliable network contact data.



I've seen an increase in DOS attacks over the past week or so, of a form I
really haven't encountered before.  Below are some logs.

22:30:52.821705 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack
1062615418 win 0
22:30:52.821956 202.172.120.255.80 > 205.133.127.30.6667: R 0:0(0) ack
3046052966 win 0
22:30:52.822208 168.17.227.0.80 > 205.133.127.30.6667: S
21259901:21259901(0) ack 1412091198 win 2144 <mss 536>
22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack
2473479669 win 0
22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack
529389642 win 0
22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127
win 9112 (DF)
22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack
1362286194 win 0

Lots and lots of TCP ACK's from broadcast addresses.  Looks like a new
kind of indirect SYN/ACK flood based on broadcast addresses.

Which led me to sort through my logs and do my best to get the amps shut
down, which led me to my current problem/gripe.

Their exists no reliable way to get the contact of a network without first
querying arin, then apnic, then the .jp registry for instance.  This is a
royal PITA and is in no way scriptable that I can see.

Am I wrong?  Does such a thing exist?  What can we do bout these attacks.

Jason

---
Jason Slagle - CCNA - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w---
O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+
------END GEEK CODE BLOCK------





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault