Denial of service attacks apparently from UUNET Netblocks

Doug Davis dougd at airmail.net
Mon Oct 6 21:23:36 UTC 1997


Karl, 
we just went thru basically the same thing with UUNET. I have >500MB of
log files to show for it too :-(.  The attack started around 7pm CDT,
Sep 24th.  Good thing we are not totally dependent on uunet. With the
help of a kid in their NOC whom I badgered into working with me, I
believe we had located a router which would accept source routed
packets.  I say believe, because when we found something "not right" he
had to hang up on me and call someone else.  

A few minutes later the attack stopped.  

When I called back an hour or so later there was no mention of
whom I had talked to in their "call log" and I didn't get the
name as it was about the 5th person I was transfered to.

When the uunet security people returned my call (I left voice
mail, "Our office ours are from 8am to 5pm eastern time") fully 3 days
later.  they did mention that they would be 24x7 "real soon now."  But
otherwise couldn't be of much help since the attack was no longer in
progress.  I guess we just go out of business while waiting.
Anyway, I made them the offer to email them a few hundred megs of
logs which they declined.

Oddly enough, the FBI called back within a few minutes and did
want the logs (we burned 'em a cd)

I've attached a small snippet of a tcpdump of the attack.  It
appears to differ from yours as the source address changes. It
was directed at one of our 28.8 dialup ports.  The incoming
packet rate averaged about 2mb.  


19:56:56.851502 snap 0:0:0:8:0 19.191.138.170.1900 > 206.66.14.112.57030: S 674719801:674719801(0) win 65535 (ttl 21, id 13324)
19:56:56.851502 snap 0:0:0:8:0 3.167.56.59.1900 > 206.66.14.112.57031: S 674719801:674719801(0) win 65535 (ttl 21, id 13325)
19:56:56.851502 snap 0:0:0:8:0 14.252.139.99.1900 > 206.66.14.112.57032: S 674719801:674719801(0) win 65535 (ttl 21, id 13326)
19:56:56.853455 snap 0:0:0:8:0 249.101.146.59.1900 > 206.66.14.112.57033: S 674719801:674719801(0) win 65535 (ttl 21, id 13327)
19:56:56.853455 snap 0:0:0:8:0 240.101.24.102.1900 > 206.66.14.112.57034: S 674719801:674719801(0) win 65535 (ttl 21, id 13328)
19:56:56.853455 snap 0:0:0:8:0 154.252.81.12.1900 > 206.66.14.112.57035: S 674719801:674719801(0) win 65535 (ttl 21, id 13329)
19:56:56.854432 snap 0:0:0:8:0 103.31.255.241.1900 > 206.66.14.112.57036: S 674719801:674719801(0) win 65535 (ttl 21, id 13330)
19:56:56.854432 snap 0:0:0:8:0 222.245.112.22.1900 > 206.66.14.112.57037: S 674719801:674719801(0) win 65535 (ttl 21, id 13331)
19:56:56.854432 snap 0:0:0:8:0 154.36.44.37.1900 > 206.66.14.112.57038: S 674719801:674719801(0) win 65535 (ttl 21, id 13332)
19:56:56.854432 snap 0:0:0:8:0 37.31.237.183.1900 > 206.66.14.112.57039: S 674719801:674719801(0) win 65535 (ttl 21, id 13333)
19:56:56.854432 snap 0:0:0:8:0 76.167.191.100.1900 > 206.66.14.112.57040: S 674719801:674719801(0) win 65535 (ttl 21, id 13334)
19:56:56.854432 snap 0:0:0:8:0 131.254.10.213.1900 > 206.66.14.112.57041: S 674719801:674719801(0) win 65535 (ttl 21, id 13335)
19:56:56.855409 snap 0:0:0:8:0 74.60.41.73.1900 > 206.66.14.112.57042: S 674719801:674719801(0) win 65535 (ttl 21, id 13336)
19:56:56.855409 snap 0:0:0:8:0 243.40.34.99.1900 > 206.66.14.112.57043: S 674719801:674719801(0) win 65535 (ttl 21, id 13337)
19:56:56.855409 snap 0:0:0:8:0 82.253.99.126.1900 > 206.66.14.112.57044: S 674719801:674719801(0) win 65535 (ttl 21, id 13338)
19:56:56.855409 snap 0:0:0:8:0 234.163.66.215.1900 > 206.66.14.112.57045: S 674719801:674719801(0) win 65535 (ttl 21, id 13339)
19:56:56.855409 snap 0:0:0:8:0 156.36.2.91.1900 > 206.66.14.112.57046: S 674719801:674719801(0) win 65535 (ttl 21, id 13340)
19:56:56.857362 snap 0:0:0:8:0 15.222.135.25.1900 > 206.66.14.112.57047: S 674719801:674719801(0) win 65535 (ttl 21, id 13341)
19:56:56.857362 snap 0:0:0:8:0 145.99.239.187.1900 > 206.66.14.112.57048: S 674719801:674719801(0) win 65535 (ttl 21, id 13342)
19:56:56.857362 snap 0:0:0:8:0 29.174.213.63.1900 > 206.66.14.112.57049: S 674719801:674719801(0) win 65535 (ttl 21, id 13343)
19:56:56.857362 snap 0:0:0:8:0 19.146.15.118.1900 > 206.66.14.112.57050: S 674719801:674719801(0) win 65535 (ttl 21, id 13344)



More information about the NANOG mailing list