[55160] in North American Network Operators' Group
Re: Tracing where it started
daemon@ATHENA.MIT.EDU (Clayton Fiske)
Sat Jan 25 14:51:20 2003
Date: Sat, 25 Jan 2003 10:14:07 -0800
From: Clayton Fiske <clay@bloomcounty.org>
To: nanog@merit.edu
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA/zNkI7d3EEmn3+v5DgN/l8KAAAAQAAAACKnz8wt1d0ijeYEnsbOZowEAAAAA@isprime.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
> It might be interesting if some people were to post when they received
> their first attack packet, and where it came from, if they happened to
> be logging.
>
> Here is the first packet we logged:
> Jan 25 00:29:37 EST 216.66.11.120
Interestingly, looking through my logs for UDP 1434, I saw a sequential
scan of my subnet like so:
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN
All from 206.176.210.74, all source port 53 (probably trying to
use people's DNS firewall rules to get around being filtered).
After that, I saw nothing until the storm started last night from many
different source IPs, which was at Jan 24 21:31:53 PST for me.
-c
