Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Post by Spam Tra » Sun, 27 Feb 2000 04:00:00



This evening, my firewall has blocked fif* (15) attempted "Smurf
amplifier" attacks involving 24.6.230.169
(c806401-a.whtrdg1.co.home.com), 24.8.22.81
(c737994-a.aurora1.co.home.com), 24.1.13.39
(c968902-a.whtrdg1.co.home.com), 24.1.13.39
(c968902-a.whtrdg1.co.home.com),  24.13.156.131
(c914014-a.aurora1.co.home.com), and 24.8.18.47
(c39150-a.aurora1.co.home.com) - see "firewall log" below. All times

reply as of yet.

These attacks are still occuring (see "forwarded email alert", at
bottom of message).

Any comments on what's happening? Are others being attacked?

----- Begin firewall log -----
Date: Sat, 26 Feb 2000 22:10:41 -0800

Log (part 1) dumped to email at 02/26/2000 23:10:39.720
02/26/2000 16:19:16.752 -       Smurf Amplification Attack Dropped -
Source:24.6.230.169, 8, WAN -   Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 16:19:17.176 -       IP spoof detected -
Source:192.168.1.22, WAN -      Destination:24.6.230.169, WAN -
-      
02/26/2000 16:25:18.288 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 16:25:18.576 -       IP spoof detected -
Source:192.168.1.22, WAN -      Destination:24.8.22.81, WAN -   -      
02/26/2000 16:53:37.416 -       UDP packet dropped -
Source:24.1.8.33, 53, WAN -     Destination:24.x.y.z, 10568, LAN -
-       Rule 0
02/26/2000 16:53:40.416 -       UDP packet dropped -
Source:24.1.8.34, 53, WAN -     Destination:24.x.y.z, 10570, LAN -
-       Rule 0
02/26/2000 16:53:41.432 -       UDP packet dropped -
Source:24.0.0.27, 53, WAN -     Destination:24.x.y.z, 10572, LAN -
-       Rule 0
02/26/2000 16:55:43.096 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 17:02:40.304 -       UDP packet dropped -
Source:24.1.8.33, 53, WAN -     Destination:24.x.y.z, 10756, LAN -
-       Rule 0
02/26/2000 17:02:41.448 -       UDP packet dropped -
Source:24.13.86.175, 31790, WAN -       Destination:24.x.y.z, 31789,
LAN -   -       Rule 0
02/26/2000 17:02:42.288 -       UDP packet dropped -
Source:24.1.8.34, 53, WAN -     Destination:24.x.y.z, 10758, LAN -
-       Rule 0
02/26/2000 17:02:43.304 -       UDP packet dropped -
Source:24.0.0.27, 53, WAN -     Destination:24.x.y.z, 10760, LAN -
-       Rule 0
02/26/2000 17:08:40.656 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 17:29:24.752 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 17:58:55.368 -       Smurf Amplification Attack Dropped -
Source:24.6.230.169, 8, WAN -   Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 18:17:28.384 -       Smurf Amplification Attack Dropped -
Source:24.6.230.169, 8, WAN -   Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 19:55:12.368 -       Smurf Amplification Attack Dropped -
Source:24.1.13.39, 8, WAN -     Destination:24.1.15.255, 8, WAN -
-      
02/26/2000 20:21:38.704 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 20:45:19.352 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 20:53:30.064 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 21:19:21.512 -       Smurf Amplification Attack Dropped -
Source:24.13.156.131, 8, WAN -  Destination:24.13.157.255, 8, WAN -
-      
02/26/2000 21:43:05.672 -       Smurf Amplification Attack Dropped -
Source:24.8.18.47, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 22:02:10.448 -       Smurf Amplification Attack Dropped -
Source:24.8.18.47, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
----- End firewall log -----

----- Begin forwarded alert email -----
Subject: *** Alert from [firewall] ***
Date: Sat, 26 Feb 2000 22:38:47 -0800

02/26/2000 23:38:46.032 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      

----- End forwarded alert email -----

 
 
 

Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Post by John Nava » Mon, 28 Feb 2000 04:00:00


[POSTED TO comp.dcom.modems.cable]


>I did that, and received two contradictory replies (not including the

>1. A personal reply from the NOC (at a few minutes past midnight):
>"Thank you for bringing this to our attention. I have gone through and
>disabled all of the offending customers. My apologies for the delay.
>The abuse department will follow up with each of these customers."

>2. A from letter Customer Service:
>"As an always-on connection,  you are likely to see many packets of
>data  that are stopped as "intrusions" when they really are nothing
>more than  normal packets.  ...

>Who is correct? From the logs, and from what I could look up on-line
>(e.g., http://www.sonicwall.com/firewall-pro/dos_attacks.html,
>http://www.robertgraham.com/pubs/firewall-seen.html), it appears the
>notice from the firewall was accurate. My inclination is to *not* send
>logs to customer service anymore (I cc'd them) - I think the form
>letter is a brush-off to have you contact abuse.

Correct.  Customer Service is technically clueless.  NOC (network
operations center) is what matters.  Your firewall is doing its job -- be
glad you have it.

--
Best regards,
John Navas     <http://navasgrp.home.att.net/>
CABLE/DSL TIPS:  <http://navasgrp.home.att.net/tech/cable_dsl.htm>

 
 
 

Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Post by Spam Tra » Mon, 28 Feb 2000 04:00:00


Here's the log  (all times are in Mountain Standard Time - Denver, CO)
- thanks! See 02/27/2000 00:07:32.816 for telnet from 210.55.37.169
(210-55-37-169.dialup.xtra.co.nz):

----- log from firewall -----


Subject: Log file from [firewall]
Date: Sun, 27 Feb 2000 06:49:58 -0800

WebRamp 700s 0040-100C-5ADD Log (part 1) dumped to email at 02/27/2000
07:49:56.672
02/26/2000 23:10:41.016 -       Log successfully sent via email
02/26/2000 23:20:54.032 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 23:38:46.032 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 23:57:06.944 -       Smurf Amplification Attack Dropped -
Source:24.6.230.169, 8, WAN -   Destination:255.255.255.255, 8, LAN -
-      
02/26/2000 23:57:34.592 -       TCP connection dropped -
Source:207.211.168.71, 2429, WAN -      Destination:24.x.y.z, 113, LAN
-       'Authentication' -      Rule 0
02/26/2000 23:58:54.704 -       Smurf Amplification Attack Dropped -
Source:24.6.230.169, 8, WAN -   Destination:255.255.255.255, 8, LAN -
-      
02/27/2000 00:07:32.816 -       TCP connection dropped -
Source:210.55.37.169, 3569, WAN -       Destination:24.x.y.z, 23, LAN
-       'Telnet' -      Rule 0
02/27/2000 01:03:09.240 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/27/2000 01:09:34.192 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/27/2000 01:12:00.640 -       Smurf Amplification Attack Dropped -
Source:24.8.22.81, 8, WAN -     Destination:255.255.255.255, 8, LAN -
-      
02/27/2000 01:34:56.928 -       Sub Seven Attack Dropped -
Source:24.112.208.13, 2960, WAN -       Destination:24.x.y.z, 1243,
LAN -   -      
02/27/2000 02:19:55.576 -       TCP connection dropped -
Source:24.0.94.130, 59150, WAN -        Destination:24.x.y.z, 119, LAN
-       'News (NNTP)' -         Rule 0
02/27/2000 02:21:12.240 -       TCP connection dropped -
Source:24.0.94.130, 34241, WAN -        Destination:24.x.y.z, 119, LAN
-       'News (NNTP)' -         Rule 0
02/27/2000 03:00:26.016 -       NetBus Attack Dropped -
Source:216.112.169.221, 4126, WAN -     Destination:24.x.y.z, 12345,
LAN -   -      
02/27/2000 03:17:17.832 -       ICMP packet dropped -
Source:24.7.72.45, 3, WAN -     Destination:24.x.y.z, 3, LAN -  'Dest
Unreachable' -  Rule 0
02/27/2000 06:39:11.224 -       Smurf Amplification Attack Dropped -
Source:195.116.249.180, 8, WAN -        Destination:207.225.104.63, 8,
WAN -   -      
02/27/2000 07:48:54.192 -       Successful administrator login -
Source:192.168.1.2, LAN -       Destination:192.168.1.251 -     -      
----- end log from firewall -----




>>[...]
>> [...] attempted telnet
>> from 210.55.37.169 (210-55-37-169.dialup.xtra.co.nz),

>If you can get the logs to me, I'll make sure they end up in the
>right hands at xtra.co.nz.

 
 
 

Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Post by cfb » Tue, 29 Feb 2000 04:00:00



>[...]
> [...] attempted telnet
> from 210.55.37.169 (210-55-37-169.dialup.xtra.co.nz),

If you can get the logs to me, I'll make sure they end up in the
right hands at xtra.co.nz.
 
 
 

Smurf amplifier attacks involving 24.6.230.169, 24.8.22.81, 24.1.13.39, 24.13.156.131, 24.8.18.47

Post by jc » Tue, 29 Feb 2000 04:00:00




> >[...]
> > [...] attempted telnet
> > from 210.55.37.169 (210-55-37-169.dialup.xtra.co.nz),

> If you can get the logs to me, I'll make sure they end up in the
> right hands at xtra.co.nz.

It would make more sense for the individal, if he/she decides to report
this,

a
middle person  (you) who will simply forward it to the same destination.
See www.xtra.co.nz (under "contact us") for more information.

On the other hand, a telnet connection attempt against a *PC* isn't
exactly a major security violation although some ISP prohibit
any unauthorized connection attempts remote systems .
In my opinion, it ranks in severity with a ftp/www
 connection attempt.

 
 
 

1. Differences between 3550-24-SMI and 3550-24-EMI

Folks:

Here are a few quick questions about the differences between 3550-24-SMI and
3550-24-EMI.  One vendor told me it is PERFECTLY OK to purchase 3550-24-SMI
(at a lower cost that EMI) and upgrade same to the 3550-24-EMI which can
then be used for CCNP/CCIE studies.  I am trying to determine if there are
any DOWNSIDES to this approach.

*   What are the main differences between 3550-24-SMI and 3550-24-EMI ?
*   Is it OK to purchase a Catalyst 3550-24-SMI at a lower cost and upgrade
to 3550-24-EMI for use in CCNP/CCIE Lab ?
*   Is it true that these two Catalyst Switches have identical hardware but
different IOS ?
*   If I upgrade the SMI to EMI do I then have a device identical (in
software & hardware) to an original Catalyst 3550-24-EMI ?

Thanks,
John

2. Internet IDL script

3. WANTED: Info on Netcomm 24/24

4. study

5. /24 PI /24 PA

6. 16650 UART

7. LD 2: Option 11c v2111 release 24 issue 24 +

8. Routing question

9. AlterNIC Root Sync Report Mon Sep 24 05:50:24 EDT 2001

10. What is *Mar 16 04:26:24: wanted ',' got '-'?

11. Cisco catalyst 2950-24 and three vlan's

12. Can't Cluster 2950-24 switches with identical base MAC addresses

13. can't create static routes with >24 bits net mask