[12720] in North American Network Operators' Group
Re: Denial of service attacks apparently from UUNET Netblocks
daemon@ATHENA.MIT.EDU (Dan Foster)
Tue Oct 7 07:54:53 1997
From: Dan Foster <dsf@frontiernet.net>
In-Reply-To: <m0xIKcr-000HJ8B@mail.airmail.net> from Doug Davis at "Oct 6, 97 04:23:36 pm"
To: karl@mcs.net
Date: Tue, 7 Oct 1997 07:01:34 -0400 (EDT)
Cc: dsf@frontiernet.net (Dan Foster), nanog@merit.edu
Hot Diggety! Doug Davis was rumored to have said...
> 19:56:56.854432 snap 0:0:0:8:0 37.31.237.183.1900 > 206.66.14.112.57039: S 674719801:674719801(0) win 65535 (ttl 21, id 13333)
> 19:56:56.854432 snap 0:0:0:8:0 76.167.191.100.1900 > 206.66.14.112.57040: S 674719801:674719801(0) win 65535 (ttl 21, id 13334)
> 19:56:56.854432 snap 0:0:0:8:0 131.254.10.213.1900 > 206.66.14.112.57041: S 674719801:674719801(0) win 65535 (ttl 21, id 13335)
> 19:56:56.855409 snap 0:0:0:8:0 74.60.41.73.1900 > 206.66.14.112.57042: S 674719801:674719801(0) win 65535 (ttl 21, id 13336)
Ouch...painful. A whole lot of SYNs with forged source address, eh? Hmm...
interesting. Karl, if I might ask - did your attack originate from any specific
port, like 1900 as is listed here?
I'm just curious since I'd like to get a rough idea if there's some program
other than smurf.c out there that makes use of a specific port by default,
or if this is just a one time occurence by a few separate idiots.
And as usual, thanks for the heads up from folks on NANOG.
-Dan Foster
Frontier Internet
Internet: dsf@frontiernet.net
