[52304] in North American Network Operators' Group
AS3303 customer under attack
daemon@ATHENA.MIT.EDU (Andre Chapuis)
Tue Sep 24 04:25:24 2002
Date: Tue, 24 Sep 2002 10:24:39 +0200
To: noc@teleglobe.net, noc@att.com, nanog@merit.edu
From: Andre Chapuis <chapuis@ip-plus.net>
Cc: engineering IP-Plus <engineering@ip-plus.net>, markus@uta.at
Errors-To: owner-nanog-outgoing@merit.edu
Dear NOC /Nanog,
We (Swisscom, AS3303) have a customer that is being attacked for about 5=
days now. It is a DOS attack with spoofed source IP addresses. The=
destination network is:
193.77.0.0/16 , as-path 3303 8437 5603 2610
The attack is (at least !) 100Mb/s, and is coming from different peers.=
Yesterday it was on our peerings with AS7018 and AS6453 in Palo-Alto, today=
seems to be more on the AADS in Chicago.
I applied the following packet filter (access-list 19 below) to all our=
external links, and there is a huge amount of packet with those source IP=
coming in. Although we drop these packets at our ingress, may i ask=
everyone peering with us (and others if you feel concerned) to configure=
that packet filter in output ?
Thanks a lot for your help (or feedback if you are also experiencing such=
problems) and have a nice day
Andr=E9
-----------------------------------------------------------------------
access-list 19 deny 0.0.0.0 0.255.255.255
access-list 19 deny 1.0.0.0 0.255.255.255
access-list 19 deny 2.0.0.0 0.255.255.255
access-list 19 deny 5.0.0.0 0.255.255.255
access-list 19 deny 7.0.0.0 0.255.255.255
access-list 19 deny 10.0.0.0 0.255.255.255
access-list 19 deny 14.0.0.0 0.255.255.255
access-list 19 deny 23.0.0.0 0.255.255.255
access-list 19 deny 31.0.0.0 0.255.255.255
access-list 19 deny 36.0.0.0 0.255.255.255
access-list 19 deny 37.0.0.0 0.255.255.255
access-list 19 deny 39.0.0.0 0.255.255.255
access-list 19 deny 41.0.0.0 0.255.255.255
access-list 19 deny 42.0.0.0 0.255.255.255
access-list 19 deny 58.0.0.0 1.255.255.255
access-list 19 deny 60.0.0.0 0.255.255.255
access-list 19 deny 70.0.0.0 1.255.255.255
access-list 19 deny 72.0.0.0 7.255.255.255
access-list 19 deny 82.0.0.0 1.255.255.255
access-list 19 deny 84.0.0.0 3.255.255.255
access-list 19 deny 88.0.0.0 7.255.255.255
access-list 19 deny 96.0.0.0 31.255.255.255
access-list 19 deny 169.254.0.0 0.0.255.255
access-list 19 deny 172.16.0.0 0.15.255.255
access-list 19 deny 176.0.0.0 15.255.255.255
access-list 19 deny 192.0.0.0 0.0.0.255
access-list 19 deny 192.0.2.0 0.0.0.255
access-list 19 deny 192.168.0.0 0.0.255.255
access-list 19 deny 222.0.0.0 1.255.255.255
access-list 19 deny 224.0.0.0 31.255.255.255
access-list 19 permit any
---------------------
Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
chapuis@ip-plus.net
CCIE #6023
----------------------
