[63861] in North American Network Operators' Group
Re: DDOS Today?
daemon@ATHENA.MIT.EDU (Dan Armstrong)
Sat Oct 11 15:42:19 2003
Date: Sat, 11 Oct 2003 15:23:21 -0400
From: Dan Armstrong <dan@beanfield.com>
To: Greg Valente <gvalente2@speedera.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
--------------9253CCE37D993204AC9149C1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I am still trying to confirm what happened, but it looks like we got whacked today.
Around 2:35 EST all our BGP peers dropped pretty much at the same time. Our mrtg systems have all fallen over too - so I can't confirm a
traffic spike.
Anybody else?
Dan.
Greg Valente wrote:
> I just got on today.
> Was there any large DDOS attacks today.
> Any specific networks impacted?
>
> -----Original Message-----
> From: Jeroen Massar [mailto:jeroen@unfix.org]
> Sent: Friday, October 10, 2003 8:16 PM
> To: 6bone@ISI.EDU; nanog@merit.edu
> Subject: Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no
> working contacts...
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Checking http://www.sixxs.net/tools/grh/lg/?show=bogons&find=::/0
>
> People might want to filter on private ASN's also
> when that ASN is being used as "transit"...
>
> 2001:a40::/32 AS64702 is reserved (path: 15516 3257 2497 4697 2914 10109 4538 4787 64702 20646 8763 5539 1930 9186) Ghost Route (14/12)
> 3ffe:3500::/24 3ffe:4005:fefe:: 25396 1752 10109 4538 4787 64702 20646 8319
>
> We still have these 6to4 specifics btw:
> 2002:c2b1:d06e::/48 More specific 6to4 prefix (194.177.208.110/32) from AS5408
> 2002:c8a2::/33 More specific 6to4 prefix (200.162.0.0/17) from AS15180
> 2002:c8c6:4000::/34 More specific 6to4 prefix (200.198.64.0/18) from AS15180
> 2002:c8ca:7000::/36 More specific 6to4 prefix (200.202.112.0/20) from AS15180
>
> And nopes, no contact has been made yet, apparently having
> your email address listed in the registry frees you of any
> obligations...
>
> Another funny one:
> 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN,
> should be 4555 (now: 29216)
> While there also is an announcement for:
> 2001:7fe::/32 I-rootserver-net-20030916
>
> The ghosts of this month:
> 3ffe:1f00::/24
> 3ffe:2400::/24
> Both with "10318 5623" common in their paths, obvious isn't it ?
>
> Oh and yes, still no contact from anybody at nortel, apparently
> that company doesn't know what IPv6 is. AS10318 (check above also)
> is still announcing *their* block and still haven't made any comment
> or reply back whatsoever. AS10318 have their own pTLA but apparently
> are not contactable for that pTLA either. If anybody knows someone
> alive for 3ffe:1300::/24 or AS762 or AS10318 please notify them.
>
> Maybe posting to nanog raises some people from sleep. Mailing
> the whois contacts directly doesn't help apparently.
>
> Greets,
> Jeroen
>
> -----BEGIN PGP SIGNATURE-----
> Version: Unfix PGP for Outlook Alpha 13 Int.
> Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/
>
> iQA/AwUBP4dLximqKFIzPnwjEQKluACglQJ+2QtJZ6O2fJZShwxLe0Z6Fz8AnRym
> p0Clq/HyC9EoC/RsaYudqZey
> =XBo4
> -----END PGP SIGNATURE-----
--------------9253CCE37D993204AC9149C1
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
I am still trying to confirm what happened, but it looks like we got whacked
today.
<p>Around 2:35 EST all our BGP peers dropped pretty much at the same
time. Our mrtg systems have all fallen over too - so I can't confirm
a traffic spike.
<p>Anybody else?<br>
<br>
Dan.
<br>
<p>Greg Valente wrote:
<blockquote TYPE=CITE>I just got on today.
<br>Was there any large DDOS attacks today.
<br>Any specific networks impacted?
<p>-----Original Message-----
<br>From: Jeroen Massar [<a href="mailto:jeroen@unfix.org">mailto:jeroen@unfix.org</a>]
<br>Sent: Friday, October 10, 2003 8:16 PM
<br>To: 6bone@ISI.EDU; nanog@merit.edu
<br>Subject: Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still
no
<br>working contacts...
<p>-----BEGIN PGP SIGNED MESSAGE-----
<p>Checking <a href="http://www.sixxs.net/tools/grh/lg/?show=bogons&find=::/0">http://www.sixxs.net/tools/grh/lg/?show=bogons&find=::/0</a>
<p>People might want to filter on private ASN's also
<br>when that ASN is being used as "transit"...
<p>2001:a40::/32 AS64702 is reserved (path: 15516 3257 2497 4697 2914 10109
4538 4787 64702 20646 8763 5539 1930 9186) Ghost Route (14/12)
<br>3ffe:3500::/24 3ffe:4005:fefe::
25396 1752 10109 4538 4787 64702 20646 8319
<p>We still have these 6to4 specifics btw:
<br>2002:c2b1:d06e::/48 More specific 6to4
prefix (194.177.208.110/32) from AS5408
<br>2002:c8a2::/33
More specific 6to4 prefix (200.162.0.0/17) from AS15180
<br>2002:c8c6:4000::/34 More specific 6to4
prefix (200.198.64.0/18) from AS15180
<br>2002:c8ca:7000::/36 More specific 6to4
prefix (200.202.112.0/20) from AS15180
<p>And nopes, no contact has been made yet, apparently having
<br>your email address listed in the registry frees you of any
<br>obligations...
<p>Another funny one:
<br>3ffe:3::/32
Subnet of 3ffe::/24 Mismatching origin ASN,
<br>
should be 4555 (now: 29216)
<br>While there also is an announcement for:
<br>2001:7fe::/32
I-rootserver-net-20030916
<p>The ghosts of this month:
<br>3ffe:1f00::/24
<br>3ffe:2400::/24
<br>Both with "10318 5623" common in their paths, obvious isn't it ?
<p>Oh and yes, still no contact from anybody at nortel, apparently
<br>that company doesn't know what IPv6 is. AS10318 (check above also)
<br>is still announcing *their* block and still haven't made any comment
<br>or reply back whatsoever. AS10318 have their own pTLA but apparently
<br>are not contactable for that pTLA either. If anybody knows someone
<br>alive for 3ffe:1300::/24 or AS762 or AS10318 please notify them.
<p>Maybe posting to nanog raises some people from sleep. Mailing
<br>the whois contacts directly doesn't help apparently.
<p>Greets,
<br> Jeroen
<p>-----BEGIN PGP SIGNATURE-----
<br>Version: Unfix PGP for Outlook Alpha 13 Int.
<br>Comment: Jeroen Massar / jeroen@unfix.org / <a href="http://unfix.org/~jeroen/">http://unfix.org/~jeroen/</a>
<p>iQA/AwUBP4dLximqKFIzPnwjEQKluACglQJ+2QtJZ6O2fJZShwxLe0Z6Fz8AnRym
<br>p0Clq/HyC9EoC/RsaYudqZey
<br>=XBo4
<br>-----END PGP SIGNATURE-----</blockquote>
</html>
--------------9253CCE37D993204AC9149C1--
