Tracing where it started
Scott Granados
scott at wworks.net
Sun Jan 26 07:04:23 UTC 2003
Just to add to this. We noticed a sudden burst and terminated ports to
customers infected as well. I never noticed anything odd from HE and we also
applied 1434 blocks very quickly. Thankfully, our most infected customer
crashed his internal core and took him off line anyway:).
----- Original Message -----
From: "Mike Leber" <mleber at he.net>
To: "Alex Rubenstein" <alex at nac.net>
Cc: "Johannes Ullrich" <jullrich at euclidian.com>; "Travis Pugh"
<tdp at discombobulated.net>; <nanog at merit.edu>
Sent: Saturday, January 25, 2003 10:17 PM
Subject: Re: Tracing where it started
>
>
> On Sun, 26 Jan 2003, Alex Rubenstein wrote:
> > > +-----------------+
> > > | 216.069.032.086 | Kentucky Community and Technical College System
> > > | 066.223.041.231 | Interland
> > > | 216.066.011.120 | Hurricane Electric
> > > | 216.098.178.081 | V-Span, Inc.
> > > +-----------------+
> >
> > HE.net seems to be a reoccuring theme. (I speak to evil of them --
> > actually, there are some good people over there).
> >
> > However, it appears that one of the 'root' boxes of this attack was at
HE.
> > This is the third or fourth time I've seen theit netblocks mentioned as
> > the source of some of the first packets.
>
> Looking at the router traffic graphs for the east and west coast the
> attack started at the same time just before 9:30 PST or 12:30 EST. I'm
> sure the owners of some of the infected boxes would be able to give a
> better chronology based on when their logs for other services (i.e. HTTP)
> they might have been running stopped.
>
> After looking at flow stats and figuring out that this wasn't an attack by
> a single compromised box we blocked udp port 1434 on several of our core
> routers. We then went back and contacted customers whose IPs showed up in
> our flow stats. Some where reachable and coordinated with our support to
> disconnect their MSSQL servers or otherwise shutdown MSSQL. We then went
> through all our customer aggregation switches looking for ports that had
> the pattern of the attack, i.e. 25000 pps inbound to our switch, 10
> packets outbound on a 100 Mbps port. We shutdown about 7 customer ports
> in New York and about 16 in California. These customers were contacted
> and the majority of them have patched their machines, a few are still off.
>
> Some Hurricane sites like our San Jose site were unaffected (no change
> from normal traffic levels) indicating any Windows users there had
> previously patched.
>
> Mike.
>
> +----------------- H U R R I C A N E - E L E C T R I C -----------------+
> | Mike Leber Direct Internet Connections Voice 510 580 4100 |
> | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 |
> | mleber at he.net http://www.he.net |
> +-----------------------------------------------------------------------+
>
>
More information about the NANOG
mailing list