Tracing where it started
Mike Leber
mleber at he.net
Sun Jan 26 06:17:17 UTC 2003
On Sun, 26 Jan 2003, Alex Rubenstein wrote:
> > +-----------------+
> > | 216.069.032.086 | Kentucky Community and Technical College System
> > | 066.223.041.231 | Interland
> > | 216.066.011.120 | Hurricane Electric
> > | 216.098.178.081 | V-Span, Inc.
> > +-----------------+
>
> HE.net seems to be a reoccuring theme. (I speak to evil of them --
> actually, there are some good people over there).
>
> However, it appears that one of the 'root' boxes of this attack was at HE.
> This is the third or fourth time I've seen theit netblocks mentioned as
> the source of some of the first packets.
Looking at the router traffic graphs for the east and west coast the
attack started at the same time just before 9:30 PST or 12:30 EST. I'm
sure the owners of some of the infected boxes would be able to give a
better chronology based on when their logs for other services (i.e. HTTP)
they might have been running stopped.
After looking at flow stats and figuring out that this wasn't an attack by
a single compromised box we blocked udp port 1434 on several of our core
routers. We then went back and contacted customers whose IPs showed up in
our flow stats. Some where reachable and coordinated with our support to
disconnect their MSSQL servers or otherwise shutdown MSSQL. We then went
through all our customer aggregation switches looking for ports that had
the pattern of the attack, i.e. 25000 pps inbound to our switch, 10
packets outbound on a 100 Mbps port. We shutdown about 7 customer ports
in New York and about 16 in California. These customers were contacted
and the majority of them have patched their machines, a few are still off.
Some Hurricane sites like our San Jose site were unaffected (no change
from normal traffic levels) indicating any Windows users there had
previously patched.
Mike.
+----------------- H U R R I C A N E - E L E C T R I C -----------------+
| Mike Leber Direct Internet Connections Voice 510 580 4100 |
| Hurricane Electric Web Hosting Colocation Fax 510 580 4151 |
| mleber at he.net http://www.he.net |
+-----------------------------------------------------------------------+
More information about the NANOG
mailing list