[nsp-sec] backscatter from AS36666 attack

Mike Tancsa mike at sentex.net
Mon Aug 16 22:58:41 EDT 2010 

Based on the inbound RSTs, it appears someone was spoofing one of my 
/20s in what appears to be an attack on 72.10.163.0/26.  It was a 
fairly high pps response and overwhelmed a couple of my customer's 
older colo boxes, but I am dropping the RSTs at my edge so we are OK 
for now. But if anything can be done to stop the attack against 
72.10.163.0/26 it would save me a few GB of log space :)

Times below are GMT -400

# whois -h whois.cymru.com 72.10.163.59
AS      | IP               | AS Name
36666   | 72.10.163.59     | GTCOMM - GloboTech Communications

          StartTime    Flgs  Proto            SrcAddr  Sport   Dir 
         DstAddr  Dport  TotPkts   TotBytes State
2010-08-16 
21:50:5  M         tcp       72.10.163.28.15909     ?> 
67.43.128.136.61226         2        124    R_
2010-08-16 
21:51:2  M         tcp       72.10.163.28.61752     ?> 
64.7.135.6.35172         2        124    R_
2010-08-16 
21:51:5  M         tcp       72.10.163.28.49690     ?> 
64.7.149.127.49684         2        124    R_
2010-08-16 
21:52:1  eU        tcp       72.10.163.28.10266     ?> 
64.7.141.51.28128         1         60    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.59.52520     ?> 
67.43.128.172.37148         1         60    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.59.32246     ?> 
67.43.131.76.5849          2        124    R_
2010-08-16 
21:52:5  MT        tcp       72.10.163.59.48223     ?> 
67.43.131.70.36303         2        124    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.28.16723     ?> 
67.43.139.15.47696         1         60    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.28.63801     ?> 
67.43.139.15.44476         1         60    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.28.23734     ?> 
67.43.128.174.32157         1         60    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.28.63113     ?> 
67.43.139.8.5507          1         60    R_
2010-08-16 
21:52:5  eT        tcp       72.10.163.28.59302     ?> 
67.43.130.138.7027         17        918    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.28.10176     ?> 
67.43.128.182.63222         2        124    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.30.23586     ?> 
67.43.131.48.39719         2        124    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.30.20223     ?> 
67.43.131.143.29273         2        124    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.28.40609     ?> 
67.43.132.25.37055         1         60    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.30.16941     ?> 
67.43.139.7.47319         1         60    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.30.34816     ?> 
67.43.131.135.9381          2        124    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.30.13919     ?> 
67.43.129.215.58590         2        124    R_
2010-08-16 
21:52:5  e         tcp       72.10.163.30.56770     ?> 
67.43.132.20.25144         1         60    R_
2010-08-16 
21:52:5  M         tcp       72.10.163.30.50791     ?> 
67.43.131.170.46362         2        124    R_



--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the nsp-security mailing list