[100887] in North American Network Operators' Group
Reflection Attack- 69.80.239.50
daemon@ATHENA.MIT.EDU (mack)
Tue Nov 20 12:03:55 2007
From: mack <mack@exchange.alphared.com>
To: "nanog@merit.edu" <nanog@merit.edu>
Date: Tue, 20 Nov 2007 11:02:34 -0600
Errors-To: owner-nanog@merit.edu
I apologize if this is off topic.
Currently the IP 69.80.239.50 is the victim of a reflection attack.
Many operators may be seeing what appears to be a syn attack generated by t=
his IP.
These are actually spoofed packet hitting an open port designed to generate=
a syn-ack packet at the victim server.
This attack was originally a standard syn attack which has lasted since the=
13th.
On Saturday the 17th we moved the victim server to a new ip behind a firewa=
ll.
Yesterday, Monday the 19th at approximately 3PM the attack changed to a ref=
lection attack of greatly increased magnitude. We have rate limited syn-ac=
k packets hitting the firewall to reduce backscatter of reset packets.
Anyone seeing a stream of packets that appears to be improperly sourced fro=
m 69.80.239.50 is asked to contact us if they believe they can help us trac=
k back the perpetrators.
Any assistance that can be rendered is appreciated. This includes directio=
n to another forum that may be able to offer assistance.
As there are approximately 102,000 reflectors being used please do not cont=
act us unless you can help us trace this back or provide substantial assist=
ance. We are currently overwhelmed by abuse complaints this has generated.
The attack has now doubled in size and may be considerably more than 102k r=
eflectors.
----
LR Mack McBride
Network Administrator
Alpha Red, Inc.