Hi All,
My appologies if this is against the group topic (and someone please let
me know so I will not post again if I come to the same position)...
Is there a member of Comcast Abuse here...
For some time now a host has been attempting to DoS (as part of a larger
DDoS) one of my machines. I
This report has been generated at Fri Aug 22 21:48:33 2003 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/as4637 for a current version of this report.
Recent Table
Matthew Sullivan wrote:
My appologies if this is against the group topic (and someone please
let me know so I will not post again if I come to the same position)...
Is there a member of Comcast Abuse here...
For some time now a host has been attempting to DoS (as part of a
larger DDoS) one of
Perhaps one of you router experts can answer this question. When using the cisco
specified filter
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
! --- match ICMP echo requests and replies (type 0 8)
Geo,
Look at your set interface Null0 command the rest is correct
you want to set the next hop to be Null0. How to do this is left as an
exercise for the reader.
Scott C. McGrath
On Fri, 22 Aug 2003, Geo. wrote:
Perhaps one of you router experts can answer
What is the most cost effective equipment to use to connect two
locations with an OC-3c circuit? I currently have 7206VXR routers at
both ends, so would prefer slot cards for those if feasible.
Excuse my ignorance, but I can't get hold of any pre-sales support at
Cisco because the worms are
Scott McGrath wrote:
Geo,
Look at your set interface Null0 command the rest is correct
you want to set the next hop to be Null0. How to do this is left as an
exercise for the reader.
Interface Null0 works fine. Here's a quick check.
Inbound (from peers) policy matches
route-map nachi-worm,
point a route to null0 and set the next hop to be down that route
On Fri, 22 Aug 2003, Jack Bates wrote:
Scott McGrath wrote:
Geo,
Look at your set interface Null0 command the rest is correct
you want to set the next hop to be Null0. How to do this is left as an
exercise
Instead of:
set interface Null0
Use: set ip next-hop 10.255.255.254
_and_
ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE
Michel.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo.
Sent: Friday, August 22, 2003 9:17 AM
To: [EMAIL
Geo,
Not sure if I want to answer. is this OT for NANOG? :)
the key is:
IP: Total Length = 92 (0x5C)
normal ICMP packets are not 92 bytes in length our friend Nachi does
use 92 byte packets.
BTW: good luck trying the route-map on 2948G-L3s... ;)
Thanks,
Paul
On Fri, 2003-08-22
point a route to null0 and set the next hop to be down that route
makes no difference, the problem isn't that the packets aren't being routed
to null0, the problem is that the packets don't match the route-map for some
reason. Only difference I see is the fragment flag is set to allow fragment
Geo,
OK Time for me to get coffee I missed the not stop.
it might not stop a packet if the route-map isn't applied to the
interface.
Pablo
On Fri, 2003-08-22 at 12:58, Paul A. Bradford wrote:
Geo,
Not sure if I want to answer. is this OT for NANOG? :)
the key is:
IP:
Because your acl matches echo reply and the packet is echo request.
Owen
--On Friday, August 22, 2003 10:02 AM -0700 Michel Py
[EMAIL PROTECTED] wrote:
Instead of:
set interface Null0
Use: set ip next-hop 10.255.255.254
_and_
ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE
On Fri, 22 Aug 2003, Stephen Milton wrote:
What is the most cost effective equipment to use to connect two
locations with an OC-3c circuit? I currently have 7206VXR routers at
both ends, so would prefer slot cards for those if feasible.
There are PA-POS-OC3 cards (IIRC 3 flavors), and you
Geo,
The problem is simple. If you put in a single route-map entry 2 matchs
entries, it must match both of them to set the interface to Null0. If you'd
like to match all ICMP packets and also 92 lenght packets, try to do this:
route-map nachi-worm permit 10
match ip address 199
set interface
F-Secure Corporation is warning about a new level of attack to be
unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC.
http://www.f-secure.com/news/items/news_2003082200.shtml
Jim
--
See what ISP-Planet is saying about us!
A quick heads up, if anybody hasn't heard:
At 1900GMT today, ET phones home, and picks up the next payload of
instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself,
put in a password grabber, and then installed a mail proxy for spammer use.
This one *may* just play the
| Jim Dawson
| Sent: Friday, August 22, 2003 2:02 PM
| Subject: Sobig.f surprise attack today
|
| F-Secure Corporation is warning about a new level of attack to be
| unleashed by the Sobig.F worm today. Supposed to take place at 1900
UTC.
|
|
On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote:
A quick heads up, if anybody hasn't heard:
At 1900GMT today, ET phones home, and picks up the next payload of
instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself,
put in a password grabber, and then installed a mail
If we can post here as soon as these mystery machines and\or ports are
known we can all throw up ACLs, but if the wormwriters learned from How
to Own the Internet in Your Spare Time, by the time we throw up ACLs,
it's probably already too late.
scott
On Fri, 22 Aug 2003 [EMAIL PROTECTED]
Just started getting it here...it came from a local Comcast cable user,
and so overwhelmed the mail server, that SpamAssassin and qmail-scanner
stopped scanning it. I had to nullroute that IP to stop it...
it looks like this:
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
| Stephen J. Wilcox
| Sent: Friday, August 22, 2003 2:15 PM
| To: [EMAIL PROTECTED]
| Cc: [EMAIL PROTECTED]
| Subject: Re: Brace yourselves.. W32/Sobig-F about to mutate...
|
| On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote:
|
| A quick heads up, if anybody hasn't heard:
|
| At 1900GMT today,
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At this point, I think that's a
legitimate
I wish all surprise attacks came at preannounced times from known locations.
Matthew Kaufman
Let's not get too spooked -- this is yet another annoyance
that exemplifies just how ludicrous the virus writer's
one-upmanship really can get, something which has been
around for quite some time.
Thanks for the heads-up, which is (in my opinion) the appropriate
response -- anything resembling
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Only if we make assumptions that what they state is 100% fact and the whole truth of
the
On Fri, 22 Aug 2003 18:41:02 -, Fergie said:
Thanks for the heads-up, which is (in my opinion) the appropriate
response -- anything resembling panic, scare tactics, or a
Charlie Foxtrot, would only contribute to the problem.
I just mentioned it so we'd all know, in case the next part does
On Fri, 22 Aug 2003, Owen DeLong wrote:
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At
Where does one get hold of The List to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding the list of master
servers.
-R
-Original Message-
Behalf Of Omachonu Ogali
Sent: August 22, 2003 2:46 PM
If
FYI:
At 1500 GMT, Mikko Hypponen, director of anti-virus research at
F-Secure, told New Scientist that 18 of the 20 internet addresses his
company had identified in the virus had been blocked. But if even one
OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Only if we make assumptions that what they state is 100% fact and the whole truth of
The [EMAIL PROTECTED] address may fool them, but I would be very
suspicious of a Microsoft patch that was only 9.6KB :)
Parts/Attachments:
1 Shown 3 lines Text
2 9.6 KB Application
3 Shown 0 lines Text
Adam Maloney
http://xforce.iss.net/xforce/alerts/id/151
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Randy Neals (ORION)
Sent: Friday, August 22, 2003 2:54 PM
To: 'Omachonu Ogali'; 'Todd Mitchell - lists'
Cc: [EMAIL PROTECTED]
Subject: RE: Sobig.f surprise
Randy Neals (ORION) wrote:
Where does one get hold of The List to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding the list of master
servers.
Its been posted here, and f-secure has it, but I wrote a quick
hmm seeing about 1% traffic to those ips, curiously none on that port number tho
not too exciting, did someone say weekend?
On Fri, 22 Aug 2003, Gary Attard wrote:
http://xforce.iss.net/xforce/alerts/id/151
-Original Message-
From: [EMAIL PROTECTED]
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to
keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP servers the worm
Jay Hennigan wrote:
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to
keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP
From http://www.f-secure.com/v-descs/sobig_f.shtml
-
Update on 19:00 UTC
When deadline for the attack was passed, one machine was still
(somewhat) up. However, immediatly after the deadline, this machine
(located in the USA) was
OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult. Sure, it's unlikely that 100% of the ISPs
could do it in the
My questions is what were those servers.. Was the purpose to denial of
service attack them? If so we just assisted that.. :)
mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now
[EMAIL PROTECTED] wrote:
ip address (access-lists): 199
^^^
Extended IP access list 181
^^^
Did you mean to have a mismatch between the numbers?
Or is there some magic configuration detail that links
the two together that I
I don't think the purpose was to DoS them. It looks like some of them were
hosts on Comcast's cable network, probably some user machines being used to
host the second part of the payload.
I just want to know what the second part of this thing does. It's better
than watching TV. :)
Omachonu Ogali wrote:
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
If the virus guys get
On Fri, 22 Aug 2003 14:13:27 -0400, Todd Mitchell - lists wrote:
See the following message sent out by X-Force a few hours ago.Todd
Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC
On Fri, 22 Aug 2003, Owen DeLong wrote:
Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.
I seriously doubt that most (any?) ISP would be willing to accept the
legal liability for altering anything on the computer
I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
activity.
I routed traffic to these 20 ips to Null0.
At 3:09 I started getting traffic from 10 of the 20 machines to a
Halflife server on my network. This continued
On 8/22/03 8:50 PM, Matt Martini [EMAIL PROTECTED] wrote:
I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
activity.
If what you claim is correct, this could be very bad. The virus is already
there on many
PA-POS for OC3-c can be pretty expensive - $3000 or so. If you don't
mind the cell tax the PA-A1-OC3 are only $500 or so but I'm not sure if
they ever made a VXR model of this card. The PA-A3-OC3 are about $1000.
The difference between the PA-A1 and PA-A3, besides the possible
VXR/non VXR
-Original Message-
From: Matt Martini
Sent: Friday, 22 August, 2003 20:51
To: North American Network Operators Group
Subject: W32/Sobig-F - Halflife correlation ???
Are there any halflife vunerabilies that the virus writers
are using?
There are many hl vulnerabilities,
I haven't seen specific details posted here, so:
Like many others, we've had a few TNTs online for years without hiccups or
reboots until this week. Beginning late Sunday, we saw seemingly random
blade reboots, and total system crashes. Errors ranged from memory leaks
to infinite loops on the
51 matches
Mail list logo
