Denial of service attacks apparently from UUNET Netblocks
karl at Mcs.Net
Mon Oct 6 06:58:57 UTC 1997
Ladies and Gentlemen,
This evening, at 11:45 PM CDT, a serious and severe denial of service attack
was launched against MCSNet.
This was a very well-coordinated effort which crippled us for over an hour.
The individuals involved sourced traffic from 207.76.*.* towards *unicast*
addresses within our network and to bogus addresses also in the same
The machines implicated individually as sources, so far, all appear to be
MAX TNTs within UUNET's core.
Examples are 188.8.131.52 and 184.108.40.206/164.
Each of the source addresses hit several machines with essentially-identical
packet and byte counts over a sustained period. The attack came from several
different core blocks in 207.76, and was received on *both* of our primary
DS-3 feeds, burying the core network segments inside our Chicago offices
and rendering the network essentially unusable.
We have taken measures to both capture repeat attempts and filter selected
source locations in an attempt to prevent a reoccurance. We *did* get a
good trace on the tail end of the attack; it clearly delineated the source
of the data.
Due to the highly-concentrated nature of this attack, its unicast
destinations, the fact that we refuse source-routed traffic and further
refuse directed broadcasts, I am at this point assuming that the source
addresses which we saw are genuine.
This might indicate that either someone inside UUNET was responsible, or
that someone has penetrated UUNET's internal security and compromised the
source devices. As TNTs are typically connected to very-high-speed egress
pathways, they would be quite capable of sourcing the data flows we saw this
Again, this was *NOT* a smurf attack; it neither fit the profile nor would
it have had the pattern of source and destination addresses which we
We are treating this as a criminal matter and referring it to the federal
authorities in the morning.
At this point our network status is nominal.
Other operators may wish to be on the lookout for similar types of attacks,
and extreme packet rates which are sourced from these address blocks.
We have taken preventive measures against a repeat performance; this may
inconvenience some legitimate users, but frankly, until we can figure out
what's going on and UUNET decides to get on the phone with us relating to
this incident we're going to act conservatively to preserve our operational
Again, we're not casting aspersions on UUNET directly in this matter, other
than the documented fact that the source addresses of the packets were all
within the above listed netblock.
However, it is worthy of note that of the various carriers we contacted
during this incident, NONE were able to be reached with someone who knew
what they were doing for over an *HOUR*.
Folks, this is unacceptable. Our customers were in touch with me inside of
10 minutes into this thing, and I find it incredible that none of the other
national providers involved think this kind of incident is important enough
to have people on-call and available during off-hours to cover this.
If someone of these people HAD been available, we might have caught the
perpetrator(s) in the act.
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service
| NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
More information about the NANOG