Tracing where it started
Clayton Fiske
clay at bloomcounty.org
Sat Jan 25 18:14:07 UTC 2003
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
> It might be interesting if some people were to post when they received
> their first attack packet, and where it came from, if they happened to
> be logging.
>
> Here is the first packet we logged:
> Jan 25 00:29:37 EST 216.66.11.120
Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN
All from 206.176.210.74, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).
After that, I saw nothing until the storm started last night from many
different source IPs, which was at Jan 24 21:31:53 PST for me.
-c
More information about the NANOG
mailing list