Odd DDOS?

From: David Meissner (dmeissnerat_private)
Date: Tue May 08 2001 - 21:24:56 PDT

  • Next message: Jon Zobrist: "Another unicode hacked box" 

    I noticed an odd pattern of pings in our firewall logs that started on
May 1. I assume this had to do with the "hacker war" with China, but
what I can't figure out is what the attack was intended to do. There
doesn't seem to be enough traffic to be a real DDOS attack, but there
were far too many source IPs for this to be accidental. I counted 880+
different source IPs over the four or five days that I saw this. Some of
the IPs were repeated a few times, but the majority of sources only
showed up once in the log.

I have included a partial firewall log, and a list of some of the source
IPs. Has anyone else seen something like this?

May  1 15:44:26 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:208.63.169.111 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 15:51:59 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 15:53:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:209.150.38.70 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 15:53:41 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:209.245.175.122 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 15:59:10 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:24.18.253.101 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 15:59:28 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:24.161.227.212 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:07:33 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:24.21.123.99 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:11:16 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:209.105.45.195 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:11:36 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.154.61.16 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:12:54 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.138.188.51 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:13:00 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:13:34 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:213.123.61.76 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:13:56 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:14:40 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:63.216.185.149 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:16:57 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:12.79.24.112 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:18:30 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.139.92.103 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:20:45 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:64.230.210.153 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:21:10 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.170.233.254 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:21:24 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.128.207.126 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:23:28 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:63.14.88.132 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:25:47 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:63.120.176.52 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:29:19 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.155.5.160 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:31:52 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:24.159.104.188 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:34:53 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:205.179.212.104 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:35:54 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:66.20.195.67 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:37:32 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:64.76.152.98 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:37:43 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:204.118.210.94 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:39:18 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:65.28.178.5 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:39:23 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:65.2.168.44 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:40:31 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.175.99.237 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:41:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:63.42.3.95 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:41:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.142.111.117 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:41:40 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:24.72.42.181 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:42:14 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:4.48.235.150 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:42:59 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:208.213.198.75 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:43:09 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.141.83.204 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:43:18 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:208.213.198.75 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:43:44 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:141.150.146.228 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:47:09 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:63.59.176.15 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
May  1 16:47:36 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
outside:172.150.252.161 dst outside:xxx.xxx.xxx.6 (type 8, code 0)

Here are a few of the repeated IPs. The first number is the number of
times they showed up over the five days.

   5 63.13.130.62
   5 32.100.187.174
   5 172.149.113.199
   5 151.202.114.211
   4 24.1.165.168
   4 172.149.113.56
   3 66.26.171.198
   3 24.68.60.171
   3 24.29.48.134
   3 24.18.164.10
   3 24.177.145.75
   3 24.160.66.168
   3 209.41.235.73
   3 209.250.46.42
   3 208.155.5.74
   3 204.255.108.130
   3 172.182.62.90
   3 172.182.115.214
   3 172.160.22.238
   3 172.139.20.132
   3 172.133.138.123
   3 172.132.140.27
   3 151.203.78.49

David Meissner
dmeissnerat_private

    This archive was generated by hypermail 2b30 : Tue May 08 2001 - 21:48:27 PDT