DDoS tracking / accounting tools

Mike Tancsa mike at sentex.net
Sun Jun 8 22:33:50 UTC 2003


It appears someone started a DDoS (~ 500 hosts involved) attack against a 
customer IP in our network this morning at 6am EDT (~ 250Mb/s coming in on 
3 links).  None of the IP addresses are spoofed as there is a fixed set of 
about 500 hundred and all are coming in via paths that make sense from a 
bgp perspective.  Also doing a quick sample of the ones still blasting at 
me across my private peers that have not null routed the /32 its clear that 
they are still pushing out packets as quick as possible judging by response 
times from those hosts.  I now want to contact the individual network abuse 
departments of said networks so that they can take appropriate action 
against the 'owned' hosts involved.  Does anyone know of or have a tool 
that can quickly take a list of IP addresses and summarize / generate the 
appropriate network contact info ?  What about a tool to quickly summarize 
by AS ?

Doing a quick random sample of the hosts involved 6 out of 10 were all 
windows type boxes and 4 had no ports open or were either firewalled or 
behind some home router.  The boxes all seem to be blasting out packets 445 
bytes long and the protocol appears to be randomized in the header


09:35:57.243330 0:a:f3:a5:c8:bc 0:d0:b7:27:55:43 ip 459: 211.135.33.199 > 
64.7.138.8:  ip-proto-253 425 (ttl 109, id 9477, len 445)
0x0000   4500 01bd 2505 0000 6dfd 66e1 d387 21c7        E...%...m.f...!.
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0050   0000
and
                   ..
18:23:59.553908 0:4:de:56:d:80 0:1:80:38:46:37 ip 459: 
h24-77-1-84.gv.shawcable.net > 64.7.138.8: icmp: echo reply
0x0000   4500 01bd 74e3 0000 7801 e8ac 184d 0154        E...t...x....M.T
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................

18:28:32.069714 0:4:de:56:d:80 0:1:80:38:46:37 0800 459: 24.77.1.84 > 
64.7.138.8: truncated-udplength 0 (ttl 120, id 15668, len 44
5)
0x0000   4500 01bd 3d34 0000 7811 204c 184d 0154        E...=4..x..L.M.T
0x0010   4007 8a08 0000 0000 0000 0000 0000 0000        @...............
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................

Anyone recognize this DOS signature ?  trinity v3 seems to have these 
capabilities but I have not seen it mentioned in some time... An oldie but 
a goodie, or something new ?


	---Mike
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike




More information about the NANOG mailing list