DOS attack

[rrcrain]

At the moment, it appears that I'm the target of an attack from IP 212.48.158.153. The incoming log on my Linksys router shows its being flooded by incoming packets from this IP that its having to reject. I can't perform a tracert to the IP since the router is overworked blocking incoming packets.

The only info I can get back is the attack is coming from MOSKVA Russia

[rrcrain]

Here's the incoming log file. Whoever it is, is doing a full port scan of the system.

Source IP Destination Port Number
212.48.158.153 1581
212.48.158.153 4127
212.48.158.153 1555
212.48.158.153 1533
212.48.158.153 1533
212.48.158.153 1511
212.48.158.153 1121
212.48.158.153 1511
212.48.158.153 1121
212.48.158.153 1085
212.48.158.153 3272
212.48.158.153 3259
212.48.158.153 4026
212.48.158.153 3259
212.48.158.153 1443
212.48.158.153 4013
212.48.158.153 1443
212.48.158.153 3974
212.48.158.153 3965
212.48.158.153 3217
212.48.158.153 3965
212.48.158.153 3210
212.48.158.153 3957
212.48.158.153 1401
212.48.158.153 3210
212.48.158.153 3957
212.48.158.153 1401
212.48.158.153 1359
212.48.158.153 3882
212.48.158.153 3150
212.48.158.153 3882
212.48.158.153 3150
212.48.158.153 3870
212.48.158.153 3855
212.48.158.153 3066
212.48.158.153 1969
212.48.158.153 3066
212.48.158.153 3056
212.48.158.153 3042
212.48.158.153 3808
212.48.158.153 3056
212.48.158.153 3808
212.48.158.153 3042
212.48.158.153 3019
212.48.158.153 3758
212.48.158.153 3008
212.48.158.153 3758
212.48.158.153 3008
212.48.158.153 2989
212.48.158.153 3716
66.77.99.162 1219
212.48.158.153 3623
212.48.158.153 4522
212.48.158.153 1769
212.48.158.153 3576
212.48.158.153 4522
212.48.158.153 3576
212.48.158.153 1769
212.48.158.153 4485
212.48.158.153 4389
212.48.158.153 4485
212.48.158.153 1732
212.48.158.153 1707
212.48.158.153 4274
212.48.158.153 4263
212.48.158.153 1689
212.48.158.153 4274
212.48.158.153 4263
212.48.158.153 1689
212.48.158.153 1657

[AMDave]

block the ip range immediately

You can use SANS for your tracert
http://isc.sans.org/

If they get past your IP block after a day or 2, email
fom@fom.ru

If they fail to do anything about it and the problem continues, contact your ISP

[rrcrain]

My router doesn't have the option to block internet IP ranges, but it was a good thought.

Here's the info from SANS


IP Address: 212.48.158.153
HostName: www.fom.ru
DShield Profile: Country: RU
Contact E-mail:
AS Number: 6788
AS Name: ORC-AS Online Resource Center ISP
AS Contact: eugene@nc.orc.ru
Total Records against IP: not processed
Number of targets: select update below
Date Range: to
Comments:

Update Summary

Whois: (cached Tue, 13 Dec 2005 15:22:41 +0000)
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '212.48.158.152 - 212.48.158.155'

inetnum: 212.48.158.152 - 212.48.158.155
netname: FOM-HS-NET
descr: Network of Public Opinion foundation
country: RU
admin-c: AV4236-RIPE
tech-c: AV4236-RIPE
status: ASSIGNED PA
mnt-by: AS6788-MNT
source: RIPE # Filtered

person: Andrey Vasilevski
address: Obrucheva str., 28/2
address: Moscow, Russia
phone: +7 095 7458765
fax-no: +7 095 7458765
e-mail: fom@fom.ru
nic-hdl: AV4236-RIPE
mnt-by: AS6788-MNT
source: RIPE # Filtered

% Information related to '212.48.128.0/19AS6788'

route: 212.48.128.0/19
descr: Online Resource Center, ISP
origin: AS6788
mnt-by: AS6788-MNT
source: RIPE # Filtered

[rrcrain]

SANS helped identify the culprit a bit. Their web servers URL is http://www.nc.orc.ru/ and heres the path they are taking to get to me. or at least this is the route from me to them once I discovered their URL.

McAfee Visual Trace Version 3.25 Results
Target: www.nc.orc.ru
Date: 12/13/2005 (Tuesday), 9:45:55 AM
Nodes: 16


Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.1.100 Peoria main
2 - - 0.0.0.0 Unknown No Response
3 1 1 12.220.8.9 New York 12-220-8-9.client.insightbb.com
4 2 1 12.220.1.14 New York 12-220-1-14.client.insightbb.com
5 3 1 12.220.0.6 New York 12-220-0-6.client.insightbb.com
6 4 2 12.123.4.230 Chicago tbr2-p012001.cgcil.ip.att.net
7 5 2 12.123.6.69 Chicago ggr2-p3120.cgcil.ip.att.net
8 6 3 4.68.127.165 Chicago so-9-1.car4.chicago1.level3.net
9 6 3 4.68.101.161 Chicago ae-1-56.bbr2.chicago1.level3.net
10 6 3 4.68.128.70 STOCKHOLM so-3-0-0.mp2.stockholm1.level3.net
11 6 - 4.68.96.226 Charlotte
12 7 - 213.242.110.130 STOCKHOLM
13 8 4 194.186.157.2 MOSKVA cat02.moscow.gldn.net
14 9 4 194.186.0.130 MOSKVA orc-gw.moscow.gldn.net
15 10 5 212.48.128.241 MOSKVA hq-1-fa0-128.nc.orc.ru
16 10 5 212.48.128.149 MOSKVA cave.nc.orc.ru


Packet Data
Node High Low Avg Tot Lost
1 0 0 0 1 0
2 ---- ---- ---- 2 2
3 0 0 0 1 0
4 31 31 31 1 0
5 40 40 40 1 0
6 40 40 40 1 0
7 47 47 47 1 0
8 53 53 53 1 0
9 49 49 49 1 0
10 181 181 181 1 0
11 179 179 179 1 0
12 193 193 193 1 0
13 188 188 188 1 0
14 194 194 194 1 0
15 193 193 193 1 0
16 166 166 166 1 0


Network Data
Network id#: 1
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Insight Communications Company INSIGHTI-12-220-0-0 (NET-12-220-0-0-1)
12.220.0.0 - 12.220.15.255

Network id#: 2
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Insight Communications Company INSIGHTI-12-220-0-0 (NET-12-220-0-0-1)
12.220.0.0 - 12.220.15.255

Network id#: 3
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Insight Communications Company INSIGHTI-12-220-0-0 (NET-12-220-0-0-1)
12.220.0.0 - 12.220.15.255

Network id#: 4
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
AT&T Worldnet Services ATTSVI-12-122-0-0 (NET-12-122-0-0-1)
12.122.0.0 - 12.123.255.255

Network id#: 5
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
AT&T Worldnet Services ATTSVI-12-122-0-0 (NET-12-122-0-0-1)
12.122.0.0 - 12.123.255.255

Network id#: 6

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

Network id#: 7
Level (3) Communications
100 Leman Street
London
E1 8EU

Network id#: 8
SOVAM TELEPORT Company Ltd.
2A Nezhdanova St.
103009 Moscow
Russia

Network id#: 9
SOVAM TELEPORT Company Ltd.
2A Nezhdanova St.
103009 Moscow
Russia

Network id#: 10
Online Resource Center, ISP
Office 110, Gubkina str. 8,
117966, Moscow, Russia



Registrant Data
Registrant id#: 1
Registrant:
Insight Communications
810 7th Avenue
New York, NY 10019
US

Registrant id#: 2
Registrant:
AT&T Corp
55 Corporate Drive
Bridgewater, NJ 08807
US

Registrant id#: 3
See Registrant Pane for registrant contact information.

Registrant id#: 4
Registrant:
Teleross Ltd
2 Krasnokazarmennaya
Moscow 111250
RU

Registrant id#: 5
See Registrant Pane for registrant contact information.
_____
Visual Trace Copyright ©1997-2001 NeoWorx Inc

[AMDave]

it appears that someone has hacked the "RUSSIAN LINUX MIRROR ARCHIVE" and is using it (and it's fast internet access) to probe other machines.

eugene@nc.orc.ru may not even know about the hack.
suggest you email asap
I found his phone number if you can speak russian.

[Nflight]

I have found these people very helpful when I am under attack.

http://www.us-cert.gov/

Since we all know that the US Govt controls the net who else would be best to help then the founders themselves.

***Note please keep a document of every action that is occuring, log the entire attack. They will want to see those logs and also understand your actions upto the point you contacted them. This will isolate the offenders and allow the SS (Ask NeoGen) to go after the culprits.

Have a Better day now that you know who to cantact, these are the real life Supermen !

[rrcrain]

I've sent the owner of the server an email informing them of the issue and requested they address the problem. That was yesterday.

If the attack is still going on this evening when I get home, I'll need to place a machine in the DMZ to allow Zonealarm to build a proper detailed log of the attack. I know from my own experience my router is a black hole on the internet, not responding to pings or hack attempts. unless they can discover a yet unknown malformed packet that can compromise the router giving them access to the administrative functions (which are disabled on hte internet side), they are doing little more than being a pest and occasionally hurting my internet connection performance.

This morning, my routers light was no longer flashing indicating incoming packets, it was on solid.

[Nflight]

rrcrain: If you setup a DMZ you could add a treasure chest for the pest to slide inside and you can capture a picture of them while there exploring your Honey Pot!

Just a Thought! Trying to help!

[rrcrain]

Last night, the DOS attack was turning into a DDOS attack and it was finally begining to affect performance. Mysolution is to pull the plug on my cable modem for a few days which should release my IP address back into the pool. In a few days, I should have a new IP address and someone else can deal with it.