[nsp-sec] TCP Flood to 2.1.4.245
Rob Shakir
rjs at eng.gxn.net
Mon Nov 30 10:45:33 EST 2009
On 18 Nov 2009, at 17:24, Rob Shakir wrote:
> This afternoon we saw some odd traffic towards one of the RIPE NCC's
> de-bogonising prefixes (2.1.0.0/21), and in particular 2.1.4.245/32
> within this. The traffic looked to be from spoofed sequential
> sources, and was 650 byte TCP packets with randomised source and
> destination ports (approximately uniform distribution of src/dst
> port pairs).
Hi NSP Sec,
Following on from this mail, I've spoken to Erik Romijn over at the
RIPE NCC, and found out a little more data.
This attack was destined to 2.1.4.245/32, which is not used within the
de-bogonising beacon project. RIS only has a 10Mbps port, so the
traffic that was delivered to them merely saturated their port,
anything that did get through to their box was dropped.
From the AMS-IX sFlow, it looks like the following traffic tried to
hit their port:
> RIS data:
>
> - 6453 (TATA ), 1.5 Gbit/s (BGP up 1 week)
> - 5413 (You ), 650 Mbit/s (BGP up 1 week)
> - 30132 (ISC ), 3.5 Mbit/s (BGP up 1d 9h)
> - 1299 (Telia), 300 Kbit/s (BGP up 4.5 days)
>
> 6762 (Telecom Italia), 12956 (Telefonica), 6774 (Belgacom), 12859
(BIT)
> and about 50 others did not show any change.
So, it looks like this was quite specific in source - and that this
traffic was delivered mainly via ourselves, and TATA. I haven't got a
conclusive list of who actually transits these prefixes, but RIPE
informed me that relatively few people do.
This is mainly just a follow up - but if anyone from TATA on-list has
any further data, that would be much appreciated.
In addition, could someone from 1299 contact me off-list as regards
the routing of these prefixes if possible?
Many thanks,
Rob
--
Rob Shakir <rjs at eng.gxn.net>
Network Development Engineer GX Networks/Vialtus Solutions
ddi: +44208 587 6077 mob: +44797 155 4098
pgp: 0xc07e6deb nic-hdl: RJS-RIPE
This email is subject to: http://www.vialtus.com/disclaimer.html
More information about the nsp-security
mailing list