Private routes advertised
Alex P. Rudnev
alex at Relcom.EU.net
Thu Apr 16 16:38:58 UTC 1998
We are seing long SMURF attack against the address 193.124.51.206. I ask
everyone who read this list and can check traffic over his network to
check if he see ICMP packets FROM 193.124.51.206 (SRC address) TO
129.72/16, 129.74/16 etc...
I don't think it's impossible to localise the intruder if he hold this
crazy program for so long (more than 6 hours). All it's nessesary to
trace is the frauded packets with the SRC address 193.124.51.206/32 and
DST addresses from the black list described here a few days ago.
What does we seen now is:
Apr 16 20:31:49 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
130.34.195.1 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:50 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
129.115.201.88 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:51 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
129.74.90.51 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:52 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
129.72.4.38 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:53 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
134.57.7.220 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:54 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
128.139.221.1 -> 193.124.51.206 (0/0), 1 packet
Apr 16 20:31:55 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp
148.81.230.253 -> 193.
etc etc... This is echo-reply packets, and this means there exists
ECHO-REQUEST packets sended by intruder.
On Thu, 16 Apr 1998, Sam Critchley wrote:
> Date: Thu, 16 Apr 1998 17:06:25 +0100 (BST)
> From: Sam Critchley <samc at uk.uu.net>
> To: administrator at lamere.net
> Cc: nanog at merit.edu
> Subject: Re: Private routes advertised
>
>
> Hello,
>
> I've forwarded this to the UUNET NOC. You can call them on 1-800-900-0241
> as well.
>
> Thanks,
>
>
> Sam Critchley
>
>
> On Thu, 16 Apr 1998 administrator at lamere.net wrote:
>
> > Hello,
> > alter.net is advertising private routes 192.168.nnn.nnn. who do I
> > contact to get that shutdown?
> >
> > Here is the traceroute on it.
> >
> > [C:\]tracerte 192.168.2.5
> > 0 lamere-r1.lamere.net (206.249.60.1) 8 ms 8 ms 0 ms
> > 1 lamere-r1.lamere.net (206.249.60.1) 0 ms 0 ms 0 ms
> > 2 206.249.57.241 (206.249.57.241) 8 ms 0 ms 0 ms
> > 3 loki.wordwrap.net (206.249.56.1) 0 ms 7 ms 0 ms
> > 4 bbr2-s401-wordwrap.ctel.net (208.221.76.165) 8 ms 203 ms 180 ms
> > 5 905.Hssi2-0.GW1.BOS1.ALTER.NET (157.130.4.25) 31 ms 156 ms 234
> > ms
> > 6 123.ATM2-0-0.XR2.BOS1.ALTER.NET (146.188.176.238) 8 ms 24 ms 15
> > ms
> > 7 190.ATM10-0-0.XR2.EWR1.ALTER.NET (146.188.176.153) 32 ms 85 ms
> > 32 ms
> > 8 100.ATM10-0-0.TR2.EWR1.ALTER.NET (146.188.176.90) 39 ms 31 ms
> > 23 ms
> > 9 105.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.189) 24 ms 23 ms 24
> > ms 10 198.ATM8-0-0.XR2.TCO1.ALTER.NET (146.188.161.185) 32 ms 23 ms
> > 24 ms 11 192.ATM1-0-0.GW2.TCO1.ALTER.NET (146.188.160.53) 31 ms 32
> > ms 23 ms 12 quantum-gw.customer.alter.net (157.130.34.170) 31 ms
> > 31 ms 39 ms 13 192.168.4.1 (192.168.4.1) 86 ms * 93 ms
> > 14 192.168.10.2 (192.168.10.2) 94 ms 94 ms 93 ms
> > 15 192.168.11.23 (192.168.11.23) 94 ms 86 ms 125 ms
> > 16 192.168.2.5 (192.168.2.5) 93 ms *
> >
> > Curtis
> >
> > --
> > -----------------------------------------------------------
> > Curtis Maurand
> > System Administrator
> > lamere.net Business Center
> > We'll get you Wired.
> > administrator at lamere.net
> > -----------------------------------------------------------
> >
> >
>
>
> ****************************************
> Sam Critchley
> International Systems Engineer
> UUNET
> samc at UU.net
> Tel: (+44) 1223 250444
> ****************************************
>
>
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG
mailing list