Re: Been a victim of a DDoS

From: Vitaly Osipov (vosipovat_private)
Date: Tue Aug 14 2001 - 01:31:10 PDT

  • Next message: Davis, Matt: "RE: MSIIS servers patched/de-doored, but C and D keep coming back" 

    Hi,

It's most probably "smurf" attack, when the attacker sends spoofed
source icmp requests to some well-known amplifier networks, so each
request results in 10-100 replies directed to the victim. There is no
way to stop it though :) Try to contact admins of some networks which
send you those icmp replies and ask their help in tracing the source of
packets causing it. It will not help very much again, because he could
easily move to another computer. If you are really worried about it,
probably you have to start some investigation, but again, it's _very_
difficult to trace the attacker if he has at minimumal skills.

Another solution - block all ICMP somewhere at uplink for a while. Kid
will get bored and will stop flooding.

regards,
Vitaly.

Gustavo Monserrat wrote:
> 
> Hi all!
> 
> We have been victims of a huge DDoS against one IP address of ours, so huge
> that it affected our upstream provider (One of Argentina's biggest). The
> attack was directed to an IP address that belonged to a dial-up user and it
> started on Sunday 2:00 GMT-3 and it continued until we stopped advertising
> the network involved in the BGP.
> 
> Our upstream informed us that traffic was coming from all around the world
> mostly from the Asia-Pacific region. It got to fill our uplink completely
> (STM-1) and to create performance problems to other customers of our
> upstream.
> 
> Unfortunately, we could not get accurate information regarding the content
> of the packets that were arriving into our network. All I have is log from
> an ACL, but you know how much information you can get. It seems we have been
> smurfed in a way that has no reason to be. A user was connected with that IP
> address, but when he disconnected, packets were still coming in huge
> amounts. We will try to advertise that network again and see what will
> happen. But... if problem persists I really do not know how to stop it, this
> address could have been taken randomly, and if the attacker decides to
> change to a different network, you realize that we can't keep changing what
> we advertise to the Internet.
> 
> I don't know what to really ask, but I need a lot of help. Below is a little
> extract of our logs.
> 
> Thanks in advance to everyone.
> 
> Aug 12 18:02:44 cli-border 11398: Aug 12 19:02:43.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:02:44 cli-border 11399: Aug 12 19:02:44.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.104.67.95 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:46 cli-border 11400: Aug 12 19:02:45.290 ARG:
> %SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
> 105.91(0), 1 packet
> Aug 12 18:02:46 cli-border 11401: Aug 12 19:02:45.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.105.222.135 -> 200.45.1
> 05.91 (0/0), 1 packet
> Aug 12 18:02:47 cli-border 11402: Aug 12 19:02:46.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.188.65.93 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:48 cli-border 11403: Aug 12 19:02:47.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 195.31.27.14 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:02:49 cli-border 11404: Aug 12 19:02:48.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 199.26.203.211 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:02:50 cli-border 11405: Aug 12 19:02:49.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.224.64.35 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:52 cli-border 11406: Aug 12 19:02:50.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 209.51.192.102 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:02:52 cli-border 11407: Aug 12 19:02:51.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
> 05.91 (0/0), 1 packet
> Aug 12 18:02:53 cli-border 11408: Aug 12 19:02:52.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.202.3.67 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:02:54 cli-border 11409: Aug 12 19:02:53.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.228 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:02:55 cli-border 11410: Aug 12 19:02:54.294 ARG:
> %SEC-6-IPACCESSLOGP: list atacan denied tcp 64.58.77.170(0) -> 200.45.105
> .91(0), 1 packet
> Aug 12 18:02:55 cli-border 11411: Aug 12 19:02:54.802 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 255.255.255.255 -> 200.45.1
> 05.91 (0/0), 1 packet
> Aug 12 18:02:57 cli-border 11412: Aug 12 19:02:56.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 151.99.109.58 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:57 cli-border 11413: Aug 12 19:02:57.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.56.11.111 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:59 cli-border 11414: Aug 12 19:02:58.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.35.104 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:02:59 cli-border 11415: Aug 12 19:02:59.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.221 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:03:01 cli-border 11416: Aug 12 19:03:00.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 63.146.81.1 -> 200.45.105.9
> 1 (0/0), 1 packet
> Aug 12 18:03:01 cli-border 11417: Aug 12 19:03:01.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 157.130.19.158 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:03:03 cli-border 11418: Aug 12 19:03:02.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.58.255.117 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:03:03 cli-border 11419: Aug 12 19:03:03.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.168.162.3 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:03:05 cli-border 11420: Aug 12 19:03:04.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 216.43.1.201 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:03:05 cli-border 11421: Aug 12 19:03:05.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.54.83.250 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:03:07 cli-border 11422: Aug 12 19:03:06.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.50.52.95 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:03:07 cli-border 11423: Aug 12 19:03:07.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 211.39.205.3 -> 200.45.105.
> 91 (0/0), 1 packet
> Aug 12 18:03:09 cli-border 11424: Aug 12 19:03:08.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.137.115.66 -> 200.45.10
> 5.91 (0/0), 1 packet
> Aug 12 18:03:09 cli-border 11425: Aug 12 19:03:09.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 206.186.188.126 -> 200.45.1
> 05.91 (0/0), 1 packet
> Aug 12 18:03:10 cli-border 11426: Aug 12 19:03:09.294 ARG:
> %SEC-6-IPACCESSLOGP: list atacan denied tcp 209.249.147.161(0) -> 200.45.
> 105.91(0), 1 packet
> Aug 12 18:03:10 cli-border 11427: Aug 12 19:03:10.046 ARG:
> %SEC-6-IPACCESSLOGDP: list atacan denied icmp 202.64.144.11 -> 200.45.105
> .91 (0/0), 1 packet
> Aug 12 18:03:12 cli-border 11428: Aug 12 19:03:11.046 ARG: %SEC-6-IPACCESSLO
> GDP: list atacan denied icmp 209.215.160.55 -> 200.45.10
> 5.91 (0/0), 1 packet
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 11:39:33 PDT