Re: Odd DDOS?

From: Keith.Morgan (Keith.Morganat_private)
Date: Wed May 09 2001 - 06:38:33 PDT

  • Next message: Johan Augustsson: "Re: Another unicode hacked box" 

    I've been seeing activity of this nature as well.  It's been icmp from a
flurry of hosts.  Normally 10-25 different source addresses each only
sending a half-dozen or so pings.  Normally the activity is very brief.  It
certainly makes me wonder.



> -----Original Message-----
> From: David Meissner [mailto:dmeissnerat_private]
> Sent: Wednesday, May 09, 2001 12:25 AM
> To: INCIDENTSat_private
> Subject: Odd DDOS?
>
>
> I noticed an odd pattern of pings in our firewall logs that started on
> May 1. I assume this had to do with the "hacker war" with China, but
> what I can't figure out is what the attack was intended to do. There
> doesn't seem to be enough traffic to be a real DDOS attack, but there
> were far too many source IPs for this to be accidental. I counted 880+
> different source IPs over the four or five days that I saw
> this. Some of
> the IPs were repeated a few times, but the majority of sources only
> showed up once in the log.
>
> I have included a partial firewall log, and a list of some of
> the source
> IPs. Has anyone else seen something like this?
>
> May  1 15:44:26 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:208.63.169.111 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 15:51:59 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 15:53:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:209.150.38.70 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 15:53:41 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:209.245.175.122 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 15:59:10 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:24.18.253.101 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 15:59:28 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:24.161.227.212 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:07:33 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:24.21.123.99 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:11:16 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:209.105.45.195 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:11:36 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.154.61.16 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:12:54 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.138.188.51 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:13:00 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:13:34 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:213.123.61.76 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:13:56 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:204.255.108.130 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:14:40 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:63.216.185.149 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:16:57 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:12.79.24.112 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:18:30 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.139.92.103 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:20:45 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:64.230.210.153 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:21:10 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.170.233.254 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:21:24 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.128.207.126 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:23:28 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:63.14.88.132 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:25:47 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:63.120.176.52 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:29:19 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.155.5.160 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:31:52 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:24.159.104.188 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:34:53 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:205.179.212.104 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:35:54 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:66.20.195.67 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:37:32 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:64.76.152.98 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:37:43 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:204.118.210.94 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:39:18 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:65.28.178.5 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:39:23 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:65.2.168.44 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:40:31 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.175.99.237 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:41:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:63.42.3.95 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:41:17 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.142.111.117 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:41:40 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:24.72.42.181 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:42:14 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:4.48.235.150 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:42:59 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:208.213.198.75 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:43:09 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.141.83.204 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:43:18 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:208.213.198.75 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:43:44 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:141.150.146.228 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:47:09 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:63.59.176.15 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
> May  1 16:47:36 pix %PIX-3-106011: Deny inbound (No xlate) icmp src
> outside:172.150.252.161 dst outside:xxx.xxx.xxx.6 (type 8, code 0)
>
> Here are a few of the repeated IPs. The first number is the number of
> times they showed up over the five days.
>
>    5 63.13.130.62
>    5 32.100.187.174
>    5 172.149.113.199
>    5 151.202.114.211
>    4 24.1.165.168
>    4 172.149.113.56
>    3 66.26.171.198
>    3 24.68.60.171
>    3 24.29.48.134
>    3 24.18.164.10
>    3 24.177.145.75
>    3 24.160.66.168
>    3 209.41.235.73
>    3 209.250.46.42
>    3 208.155.5.74
>    3 204.255.108.130
>    3 172.182.62.90
>    3 172.182.115.214
>    3 172.160.22.238
>    3 172.139.20.132
>    3 172.133.138.123
>    3 172.132.140.27
>    3 151.203.78.49
>
> David Meissner
> dmeissnerat_private
>

    This archive was generated by hypermail 2b30 : Thu May 10 2001 - 19:18:13 PDT