Weird attack or traffic (Was Re: The impending DDoS storm)

• Previous message (by thread): Weird attack or traffic (Was Re: The impending DDoS storm)
• Next message (by thread): Weird attack or traffic (Was Re: The impending DDoS storm)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, we are starting to see this as well.  We are filtering at the edge, so 
the bogus packets are not getting out.

We have a /19 of 64.7.128.0/19 and 64.7.229.241 is totally bogus for our 
network.

Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.229.241:1069 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.39.113:1904 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.105.240:1739 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.235.113:1178 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.46.113:1014 204.79.188.11:80 out via fxp1
Aug 14 21:59:16 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.111.240:1849 204.79.188.11:80 out via fxp1
Aug 14 21:59:17 telus-151front /kernel: ipfw: 30000 Deny TCP 
64.7.176.240:1685 204.79.188.11:80 out via fxp1


         ---Mike

At 01:04 AM 15/08/2003 -0400, Haesu wrote:

>Is anyone else seeing backscatters on your network about 
>windowsupdate.com's IP?
>
>Someone who transits through 65.123.21.137 router is sending out lots of 
>packets
>to 204.79.188.11 (windowsupdate.com) in which its not currently advertised to
>internet as we speak. Not to mention, packets seem to be source-spoofed to
>65.124.16.0/21 (our block), causing backscatter from 65.123.21.137 to our
>network...
>
>Any ideas/or anyone seeing similar effect? Is someone who is administrative to
>Qwest Communications WASH01-WAN-65-123-21 (NET-65-123-21-0-1) aware of 
>this may
>be? It looks like a Qwest customer CPE router to me but I dunno..
>
>See below for traffic snapshot..
>
>-hc
>
>--
>Sincerely,
>   Haesu C.
>   TowardEX Technologies, Inc.
>   WWW: http://www.towardex.com
>   E-mail: haesu at towardex.com
>   Cell: (978) 394-2867
>
>k00:50:22.807370 65.123.21.137 > 65.124.23.125: icmp: net 204.79.188.11 
>unreachable
>00:50:22.891672 65.123.21.137 > 65.124.22.48: icmp: net 204.79.188.11 
>unreachable
>00:50:22.979997 65.123.21.137 > 65.124.22.98: icmp: net 204.79.188.11 
>unreachable
>00:50:23.047340 65.123.21.137 > 65.124.22.21: icmp: net 204.79.188.11 
>unreachable
>00:50:23.133616 65.123.21.137 > 65.124.22.72: icmp: net 204.79.188.11 
>unreachable
>00:50:23.520405 65.123.21.137 > 65.124.23.107: icmp: net 204.79.188.11 
>unreachable
>00:50:23.745844 65.123.21.137 > 65.124.22.3: icmp: net 204.79.188.11 
>unreachable
>00:50:23.829309 65.123.21.137 > 65.124.22.54: icmp: net 204.79.188.11 
>unreachable
>00:50:24.493650 65.123.21.137 > 65.124.23.113: icmp: net 204.79.188.11 
>unreachable
>00:50:24.530074 65.123.21.137 > 65.124.23.35: icmp: net 204.79.188.11 
>unreachable
>00:50:24.618082 65.123.21.137 > 65.124.23.86: icmp: net 204.79.188.11 
>unreachable
>00:47:50.611529 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 
>unreachable
>00:47:50.649962 65.123.21.137 > 65.124.17.151: icmp: net 204.79.188.11 
>unreachable
>00:47:50.711865 65.123.21.137 > 65.124.17.124: icmp: net 204.79.188.11 
>unreachable
>00:47:50.756960 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 
>unreachable
>00:47:50.826367 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 
>unreachable
>00:47:52.355967 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 
>unreachable
>00:47:52.587141 65.123.21.137 > 65.124.20.46: icmp: net 204.79.188.11 
>unreachable
>00:47:53.865460 65.123.21.137 > 65.124.22.87: icmp: net 204.79.188.11 
>unreachable
>
>00:48:05.250757 65.123.21.137 > 65.124.16.1: icmp: net 204.79.188.11 
>unreachable
>00:48:05.713640 65.123.21.137 > 65.124.17.86: icmp: net 204.79.188.11 
>unreachable
>00:48:05.841169 65.123.21.137 > 65.124.17.60: icmp: net 204.79.188.11 
>unreachable
>00:48:06.013042 65.123.21.137 > 65.124.16.33: icmp: net 204.79.188.11 
>unreachable
>00:48:06.549540 65.123.21.137 > 65.124.17.41: icmp: net 204.79.188.11 
>unreachable
>00:48:06.803847 65.123.21.137 > 65.124.17.92: icmp: net 204.79.188.11 
>unreachable
>00:48:06.981930 65.123.21.137 > 65.124.17.15: icmp: net 204.79.188.11 
>unreachable
>00:48:07.277776 65.123.21.137 > 65.124.18.100: icmp: net 204.79.188.11 
>unreachable
>00:48:07.343120 65.123.21.137 > 65.124.18.74: icmp: net 204.79.188.11 
>unreachable
>00:48:07.486285 65.123.21.137 > 65.124.17.47: icmp: net 204.79.188.11 
>unreachable
>00:48:07.569901 65.123.21.137 > 65.124.20.8: icmp: net 204.79.188.11 
>unreachable
>00:48:08.117407 65.123.21.137 > 65.124.18.106: icmp: net 204.79.188.11 
>unreachable
>00:48:08.356732 65.123.21.137 > 65.124.20.41: icmp: net 204.79.188.11 
>unreachable
>00:48:08.637485 65.123.21.137 > 65.124.20.14: icmp: net 204.79.188.11 
>unreachable
>00:48:08.944750 65.123.21.137 > 65.124.22.126: icmp: net 204.79.188.11 
>unreachable
>00:48:08.946623 65.123.21.137 > 65.124.22.49: icmp: net 204.79.188.11 
>unreachable

• Previous message (by thread): Weird attack or traffic (Was Re: The impending DDoS storm)
• Next message (by thread): Weird attack or traffic (Was Re: The impending DDoS storm)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]