Hi all! We have been victims of a huge DDoS against one IP address of ours, so huge that it affected our upstream provider (One of Argentina's biggest). The attack was directed to an IP address that belonged to a dial-up user and it started on Sunday 2:00 GMT-3 and it continued until we stopped advertising the network involved in the BGP. Our upstream informed us that traffic was coming from all around the world mostly from the Asia-Pacific region. It got to fill our uplink completely (STM-1) and to create performance problems to other customers of our upstream. Unfortunately, we could not get accurate information regarding the content of the packets that were arriving into our network. All I have is log from an ACL, but you know how much information you can get. It seems we have been smurfed in a way that has no reason to be. A user was connected with that IP address, but when he disconnected, packets were still coming in huge amounts. We will try to advertise that network again and see what will happen. But... if problem persists I really do not know how to stop it, this address could have been taken randomly, and if the attacker decides to change to a different network, you realize that we can't keep changing what we advertise to the Internet. I don't know what to really ask, but I need a lot of help. Below is a little extract of our logs. Thanks in advance to everyone. Aug 12 18:02:44 cli-border 11398: Aug 12 19:02:43.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:02:44 cli-border 11399: Aug 12 19:02:44.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.104.67.95 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:46 cli-border 11400: Aug 12 19:02:45.290 ARG: %SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45. 105.91(0), 1 packet Aug 12 18:02:46 cli-border 11401: Aug 12 19:02:45.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.105.222.135 -> 200.45.1 05.91 (0/0), 1 packet Aug 12 18:02:47 cli-border 11402: Aug 12 19:02:46.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.188.65.93 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:48 cli-border 11403: Aug 12 19:02:47.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 195.31.27.14 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:02:49 cli-border 11404: Aug 12 19:02:48.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 199.26.203.211 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:02:50 cli-border 11405: Aug 12 19:02:49.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.224.64.35 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:52 cli-border 11406: Aug 12 19:02:50.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.51.192.102 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:02:52 cli-border 11407: Aug 12 19:02:51.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1 05.91 (0/0), 1 packet Aug 12 18:02:53 cli-border 11408: Aug 12 19:02:52.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.202.3.67 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:02:54 cli-border 11409: Aug 12 19:02:53.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.228 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:02:55 cli-border 11410: Aug 12 19:02:54.294 ARG: %SEC-6-IPACCESSLOGP: list atacan denied tcp 64.58.77.170(0) -> 200.45.105 .91(0), 1 packet Aug 12 18:02:55 cli-border 11411: Aug 12 19:02:54.802 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1 05.91 (0/0), 1 packet Aug 12 18:02:57 cli-border 11412: Aug 12 19:02:56.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 151.99.109.58 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:57 cli-border 11413: Aug 12 19:02:57.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.56.11.111 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:59 cli-border 11414: Aug 12 19:02:58.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.35.104 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:02:59 cli-border 11415: Aug 12 19:02:59.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.221 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:03:01 cli-border 11416: Aug 12 19:03:00.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 63.146.81.1 -> 200.45.105.9 1 (0/0), 1 packet Aug 12 18:03:01 cli-border 11417: Aug 12 19:03:01.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 157.130.19.158 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:03:03 cli-border 11418: Aug 12 19:03:02.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.117 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:03:03 cli-border 11419: Aug 12 19:03:03.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.168.162.3 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:03:05 cli-border 11420: Aug 12 19:03:04.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.43.1.201 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:03:05 cli-border 11421: Aug 12 19:03:05.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.54.83.250 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:03:07 cli-border 11422: Aug 12 19:03:06.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.50.52.95 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:03:07 cli-border 11423: Aug 12 19:03:07.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105. 91 (0/0), 1 packet Aug 12 18:03:09 cli-border 11424: Aug 12 19:03:08.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.137.115.66 -> 200.45.10 5.91 (0/0), 1 packet Aug 12 18:03:09 cli-border 11425: Aug 12 19:03:09.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.186.188.126 -> 200.45.1 05.91 (0/0), 1 packet Aug 12 18:03:10 cli-border 11426: Aug 12 19:03:09.294 ARG: %SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45. 105.91(0), 1 packet Aug 12 18:03:10 cli-border 11427: Aug 12 19:03:10.046 ARG: %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.64.144.11 -> 200.45.105 .91 (0/0), 1 packet Aug 12 18:03:12 cli-border 11428: Aug 12 19:03:11.046 ARG: %SEC-6-IPACCESSLO GDP: list atacan denied icmp 209.215.160.55 -> 200.45.10 5.91 (0/0), 1 packet ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 12:24:23 PDT