|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Private routes advertised
We are seing long SMURF attack against the address 193.124.51.206. I ask everyone who read this list and can check traffic over his network to check if he see ICMP packets FROM 193.124.51.206 (SRC address) TO 129.72/16, 129.74/16 etc... I don't think it's impossible to localise the intruder if he hold this crazy program for so long (more than 6 hours). All it's nessesary to trace is the frauded packets with the SRC address 193.124.51.206/32 and DST addresses from the black list described here a few days ago. What does we seen now is: Apr 16 20:31:49 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 130.34.195.1 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:50 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.115.201.88 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:51 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.74.90.51 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:52 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 129.72.4.38 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:53 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 134.57.7.220 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:54 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 128.139.221.1 -> 193.124.51.206 (0/0), 1 packet Apr 16 20:31:55 MSK: %SEC-6-IPACCESSLOGDP: list 108 denied icmp 148.81.230.253 -> 193. etc etc... This is echo-reply packets, and this means there exists ECHO-REQUEST packets sended by intruder. On Thu, 16 Apr 1998, Sam Critchley wrote: > Date: Thu, 16 Apr 1998 17:06:25 +0100 (BST) > From: Sam Critchley <samc@uk.uu.net> > To: administrator@lamere.net > Cc: nanog@merit.edu > Subject: Re: Private routes advertised > > > Hello, > > I've forwarded this to the UUNET NOC. You can call them on 1-800-900-0241 > as well. > > Thanks, > > > Sam Critchley > > > On Thu, 16 Apr 1998 administrator@lamere.net wrote: > > > Hello, > > alter.net is advertising private routes 192.168.nnn.nnn. who do I > > contact to get that shutdown? > > > > Here is the traceroute on it. > > > > [C:\]tracerte 192.168.2.5 > > 0 lamere-r1.lamere.net (206.249.60.1) 8 ms 8 ms 0 ms > > 1 lamere-r1.lamere.net (206.249.60.1) 0 ms 0 ms 0 ms > > 2 206.249.57.241 (206.249.57.241) 8 ms 0 ms 0 ms > > 3 loki.wordwrap.net (206.249.56.1) 0 ms 7 ms 0 ms > > 4 bbr2-s401-wordwrap.ctel.net (208.221.76.165) 8 ms 203 ms 180 ms > > 5 905.Hssi2-0.GW1.BOS1.ALTER.NET (157.130.4.25) 31 ms 156 ms 234 > > ms > > 6 123.ATM2-0-0.XR2.BOS1.ALTER.NET (146.188.176.238) 8 ms 24 ms 15 > > ms > > 7 190.ATM10-0-0.XR2.EWR1.ALTER.NET (146.188.176.153) 32 ms 85 ms > > 32 ms > > 8 100.ATM10-0-0.TR2.EWR1.ALTER.NET (146.188.176.90) 39 ms 31 ms > > 23 ms > > 9 105.ATM6-0.TR2.DCA1.ALTER.NET (146.188.136.189) 24 ms 23 ms 24 > > ms 10 198.ATM8-0-0.XR2.TCO1.ALTER.NET (146.188.161.185) 32 ms 23 ms > > 24 ms 11 192.ATM1-0-0.GW2.TCO1.ALTER.NET (146.188.160.53) 31 ms 32 > > ms 23 ms 12 quantum-gw.customer.alter.net (157.130.34.170) 31 ms > > 31 ms 39 ms 13 192.168.4.1 (192.168.4.1) 86 ms * 93 ms > > 14 192.168.10.2 (192.168.10.2) 94 ms 94 ms 93 ms > > 15 192.168.11.23 (192.168.11.23) 94 ms 86 ms 125 ms > > 16 192.168.2.5 (192.168.2.5) 93 ms * > > > > Curtis > > > > -- > > ----------------------------------------------------------- > > Curtis Maurand > > System Administrator > > lamere.net Business Center > > We'll get you Wired. > > administrator@lamere.net > > ----------------------------------------------------------- > > > > > > > **************************************** > Sam Critchley > International Systems Engineer > UUNET > samc@UU.net > Tel: (+44) 1223 250444 > **************************************** > > > Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|