Denial of service attacks apparently from UUNET Netblocks

Mon Oct 6 06:58:57 UTC 1997

Ladies and Gentlemen,

This evening, at 11:45 PM CDT, a serious and severe denial of service attack
was launched against MCSNet.

This was a very well-coordinated effort which crippled us for over an hour.

The individuals involved sourced traffic from 207.76.*.* towards *unicast*
addresses within our network and to bogus addresses also in the same 
netblocks.

The machines implicated individually as sources, so far, all appear to be 
MAX TNTs within UUNET's core.

Examples are 207.76.40.175 and 207.76.57.161/164.

Each of the source addresses hit several machines with essentially-identical
packet and byte counts over a sustained period.  The attack came from several
different core blocks in 207.76, and was received on *both* of our primary 
DS-3 feeds, burying the core network segments inside our Chicago offices 
and rendering the network essentially unusable.

We have taken measures to both capture repeat attempts and filter selected
source locations in an attempt to prevent a reoccurance.  We *did* get a
good trace on the tail end of the attack; it clearly delineated the source
of the data.

Due to the highly-concentrated nature of this attack, its unicast
destinations, the fact that we refuse source-routed traffic and further
refuse directed broadcasts, I am at this point assuming that the source
addresses which we saw are genuine.

This might indicate that either someone inside UUNET was responsible, or
that someone has penetrated UUNET's internal security and compromised the
source devices.  As TNTs are typically connected to very-high-speed egress
pathways, they would be quite capable of sourcing the data flows we saw this
evening.

Again, this was *NOT* a smurf attack; it neither fit the profile nor would
it have had the pattern of source and destination addresses which we
captured.

We are treating this as a criminal matter and referring it to the federal 
authorities in the morning.  

At this point our network status is nominal.

Other operators may wish to be on the lookout for similar types of attacks,
and extreme packet rates which are sourced from these address blocks.  

We have taken preventive measures against a repeat performance; this may
inconvenience some legitimate users, but frankly, until we can figure out
what's going on and UUNET decides to get on the phone with us relating to
this incident we're going to act conservatively to preserve our operational
status.

Again, we're not casting aspersions on UUNET directly in this matter, other 
than the documented fact that the source addresses of the packets were all 
within the above listed netblock.

However, it is worthy of note that of the various carriers we contacted
during this incident, NONE were able to be reached with someone who knew
what they were doing for over an *HOUR*.

Folks, this is unacceptable.  Our customers were in touch with me inside of
10 minutes into this thing, and I find it incredible that none of the other
national providers involved think this kind of incident is important enough
to have people on-call and available during off-hours to cover this.

If someone of these people HAD been available, we might have caught the
perpetrator(s) in the act.

--
-- 
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal