[nsp-sec] UDP port 2001 attack

Thu Oct 3 16:54:06 EDT 2013

Hi,
	We have had a customer being attacked with a gig or so of traffic off
and on for a few days now.  Today from UTC 19:11 to ~ 19:22.  Target was
64.7.156.74, UDP port 2001 large packets of junk that get fragmented of
course.

I dont think the source addresses are spoofed as they seem to correspond
to the inbound interfaces / networks I expect the packets to come in on
(e.g. Packets from AS812 come in via my peer with them as opposed to via
a random transit link)

List attached.

	---Mike
-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
-------------- next part --------------
Bulk mode; whois.cymru.com [2013-10-03 20:45:12 +0000]
209     | 65.126.120.210   | 65.112.0.0/12       | US | arin     | 2001-01-04 | ASN-QWEST-US NOVARTIS-DMZ-US
812     | 173.32.65.192    | 173.32.0.0/14       | CA | arin     | 2008-08-06 | ROGERS-CABLE - Rogers Cable Communications Inc.
1785    | 63.138.66.2      | 63.138.64.0/22      | US | arin     | 2005-05-17 | AS-PAETEC-NET - PaeTec Communications, Inc.
2856    | 81.134.6.7       | 81.128.0.0/12       | GB | ripencc  | 2002-07-25 | BT-UK-AS BTnet UK Regional network
3215    | 80.13.202.107    | 80.13.0.0/16        | FR | ripencc  | 2001-05-03 | AS3215 Orange S.A.
3216    | 62.105.146.118   | 62.105.128.0/19     | RU | ripencc  | 2000-07-27 | SOVAM-AS OJSC _Vimpelcom_
3249    | 80.235.28.178    | 80.235.0.0/17       | EE | ripencc  | 2001-10-11 | ESTPAK Elion Enterprises Ltd.
3301    | 87.237.214.92    | 87.237.208.0/21     | SE | ripencc  | 2005-11-29 | TELIANET-SWEDEN TeliaSonera AB
3462    | 1.34.49.235      | 1.34.0.0/16         | TW | apnic    | 2010-05-05 | HINET Data Communication Business Group
3462    | 60.248.248.37    | 60.248.0.0/16       | TW | apnic    | 2004-10-29 | HINET Data Communication Business Group
3462    | 60.250.120.122   | 60.250.0.0/16       | TW | apnic    | 2006-07-31 | HINET Data Communication Business Group
3462    | 61.222.248.190   | 61.222.0.0/16       | TW | apnic    | 2001-05-15 | HINET Data Communication Business Group
3731    | 199.255.211.11   | 199.255.211.0/24    | US | arin     | 2010-06-03 | AFNCA-ASN - AFNCA Inc.
3786    | 61.33.203.43     | 61.32.0.0/13        | KR | apnic    | 2000-09-18 | LGDACOM LG DACOM Corporation
3786    | 61.35.223.61     | 61.32.0.0/13        | KR | apnic    | 2000-09-18 | LGDACOM LG DACOM Corporation
4134    | 58.215.78.116    | 58.215.0.0/16       | CN | apnic    | 2005-06-24 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.217.126.129   | 58.217.112.0/20     | CN | apnic    | 2005-06-24 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.42.238.176    | 58.42.224.0/19      | CN | apnic    | 2005-05-26 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.49.54.151     | 58.48.0.0/15        | CN | apnic    | 2005-05-23 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.175.179.22    | 59.175.0.0/16       | CN | apnic    | 2007-04-20 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.63.175.174    | 59.63.160.0/19      | CN | apnic    | 2005-02-08 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.166.12.116    | 60.166.0.0/16       | CN | apnic    | 2004-07-21 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.191.150.39    | 60.191.144.0/20     | CN | apnic    | 2004-06-25 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.191.249.197   | 60.191.248.0/23     | CN | apnic    | 2004-06-25 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.191.49.203    | 60.191.0.0/17       | CN | apnic    | 2004-06-25 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.138.211.243   | 61.138.208.0/21     | CN | apnic    |            | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.143.139.34    | 61.143.136.0/21     | CN | apnic    |            | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.157.217.28    | 61.157.217.0/24     | CN | apnic    | 2000-03-14 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.160.21.6      | 61.160.0.0/19       | CN | apnic    | 2000-10-11 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.178.146.183   | 61.178.144.0/21     | CN | apnic    | 2000-11-16 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.183.16.2      | 61.183.16.0/24      | CN | apnic    | 2000-11-16 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.183.35.108    | 61.183.35.0/24      | CN | apnic    | 2000-11-16 | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.185.198.142   | 61.185.192.0/18     | CN | apnic    | 2000-11-16 | CHINANET-BACKBONE No.31,Jin-rong Street
4436    | 63.141.219.132   | 63.141.216.0/22     | US | arin     | 2011-04-22 | AS-NLAYER - nLayer Communications, Inc.
4538    | 59.72.89.131     | 59.64.0.0/12        | CN | apnic    | 2004-09-09 | ERX-CERNET-BKB China Education and Research Network Center
4725    | 61.196.148.66    | 61.196.0.0/16       | JP | apnic    | 2001-05-31 | ODN SOFTBANK TELECOM Corp.
4766    | 59.14.150.30     | 59.8.0.0/13         | KR | apnic    | 2004-08-02 | KIXS-AS-KR Korea Telecom
4837    | 58.240.110.250   | 58.240.0.0/15       | CN | apnic    | 2005-06-03 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 60.22.129.5      | 60.16.0.0/13        | CN | apnic    | 2004-03-29 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 60.28.60.41      | 60.28.0.0/15        | CN | apnic    | 2004-04-16 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.138.134.178   | 61.138.128.0/18     | CN | apnic    |            | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.158.164.4     | 61.158.128.0/17     | CN | apnic    | 2000-03-14 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.163.104.182   | 61.163.0.0/16       | CN | apnic    | 2000-10-11 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.181.255.105   | 61.181.0.0/16       | CN | apnic    | 2000-11-16 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.181.27.119    | 61.181.0.0/16       | CN | apnic    | 2000-11-16 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.182.70.142    | 61.182.0.0/16       | CN | apnic    | 2000-11-16 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.189.32.230    | 61.189.0.0/17       | CN | apnic    | 2000-11-16 | CHINA169-BACKBONE CNCGROUP China169 Backbone
5650    | 50.47.47.158     | 50.32.0.0/12        | US | arin     | 2010-09-24 | FRONTIER-FRTR - Frontier Communications of America, Inc.
6128    | 75.127.232.43    | 75.127.128.0/17     | US | arin     | 2007-08-30 | CABLE-NET-1 - Cablevision Systems Corp.
6128    | 75.127.236.246   | 75.127.128.0/17     | US | arin     | 2007-08-30 | CABLE-NET-1 - Cablevision Systems Corp.
6128    | 75.127.237.30    | 75.127.128.0/17     | US | arin     | 2007-08-30 | CABLE-NET-1 - Cablevision Systems Corp.
6702    | 85.198.187.24    | 85.198.128.0/18     | UA | ripencc  | 2005-01-31 | APEXNCC-AS Science Production Company _Trifle_ Ltd.
6939    | 64.62.157.190    | 64.62.128.0/18      | US | arin     | 2002-08-27 | HURRICANE - Hurricane Electric, Inc.
7015    | 50.169.213.32    | 50.169.0.0/16       | US | arin     | 2010-10-21 | COMCAST-7015 - Comcast Cable Communications Holdings, Inc
7015    | 66.30.215.88     | 66.30.0.0/16        | US | arin     | 2002-01-31 | COMCAST-7015 - Comcast Cable Communications Holdings, Inc
7015    | 74.94.144.225    | 74.94.128.0/18      | US | arin     | 2006-05-18 | COMCAST-7015 - Comcast Cable Communications Holdings, Inc
7016    | 75.145.40.251    | 75.145.32.0/20      | US | arin     | 2006-09-25 | CCCH-3 - Comcast Cable Communications Holdings, Inc
7018    | 74.85.199.7      | 74.85.199.0/24      | US | arin     | 2007-05-24 | ATT-INTERNET4 - AT&T Services, Inc.
7796    | 64.69.43.236     | 64.69.32.0/20       | US | arin     | 2000-04-11 | ATMLINK - ATMLINK, INC.
8359    | 89.175.101.50    | 89.175.0.0/16       | RU | ripencc  | 2006-04-06 | MTS MTS OJSC
8551    | 84.111.159.105   | 84.111.144.0/20     | IL | ripencc  | 2004-05-10 | BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
8672    | 82.147.129.90    | 82.147.128.0/19     | BG | ripencc  | 2003-07-07 | ORBITEL Orbitel EAD
8708    | 86.127.58.194    | 86.120.0.0/13       | RO | ripencc  | 2005-03-16 | RCS-RDS RCS & RDS SA
8877    | 78.128.114.119   | 78.128.114.0/24     | BG | ripencc  | 2007-04-05 | POWERNET-AS PowerNet Ltd
9009    | 89.238.151.236   | 89.238.128.0/18     | GB | ripencc  | 2006-07-28 | GBXS-AS M247 Ltd
9050    | 89.120.92.188    | 89.120.0.0/16       | RO | ripencc  | 2006-03-01 | RTD ROMTELECOM S.A
9394    | 61.237.242.21    | 61.237.128.0/17     | CN | apnic    | 2001-01-19 | CTTNET China TieTong Telecommunications Corporation
11351   | 69.207.36.164    | 69.207.0.0/16       | US | arin     | 2004-03-26 | RR-NYSREGION-ASN-01 - Time Warner Cable Internet LLC
11427   | 71.40.27.243     | 71.40.0.0/17        | US | arin     | 2005-04-01 | SCRR-11427 - Time Warner Cable Internet LLC
11796   | 64.33.206.115    | 64.33.192.0/20      | US | arin     | 2000-02-02 | AIRSTREAMCOMM-NET - Airstream Communications, LLC
12334   | 83.165.52.199    | 83.165.0.0/18       | ES | ripencc  | 2004-04-21 | R Cable y Telecomunicaciones Galicia, S.A.
12386   | 88.87.206.144    | 88.87.192.0/19      | ES | ripencc  | 2006-02-24 | ASALPI Orange Catalunya Xarxes de Telecomunicacions S.A.
12578   | 87.246.166.203   | 87.246.160.0/19     | LV | ripencc  | 2005-08-29 | APOLLO-AS LATTELEKOM-APOLLO
12880   | 85.185.235.198   | 85.185.0.0/16       | IR | ripencc  | 2004-11-25 | DCI-AS Information Technology Company (ITC)
13156   | 84.90.13.204     | 84.90.12.0/22       | PT | ripencc  | 2004-05-12 | AS13156 Cabovisao,SA
13333   | 72.22.0.195      | 72.22.0.0/19        | US | arin     | 2005-01-13 | CCI-PA-AS-1 - Consolidated Communications, Inc.
13693   | 65.182.93.27     | 65.182.64.0/19      | US | arin     | 2003-12-11 | NTS-ONLINE - NTS Communications
13768   | 76.74.229.78     | 76.74.228.0/22      | US | arin     | 2007-04-04 | PEER1 - Peer 1 Network Inc.
14618   | 54.208.162.76    | 54.208.0.0/15       | US | arin     | 2013-02-19 | AMAZON-AES - Amazon.com, Inc.
15169   | 1.1.1.2          | 1.1.1.0/24          | AU | apnic    | 2011-08-11 | GOOGLE - Google Inc.
15525   | 62.28.159.175    | 62.28.0.0/16        | PT | ripencc  | 2006-06-08 | PTPRIMENET PT Comunicacoes S.A.
16086   | 89.166.34.116    | 89.166.0.0/17       | FI | ripencc  | 2006-03-16 | DNA DNA Oy
16371   | 82.194.87.137    | 82.194.64.0/19      | ES | ripencc  | 2003-10-17 | ACENS_AS acens Technologies, S.L.
16509   | 54.232.224.138   | 54.232.192.0/18     | US | arin     | 2012-03-01 | AMAZON-02 - Amazon.com, Inc.
16713   | 64.184.156.52    | 64.184.156.0/24     | US | arin     | 2004-08-04 | NOANET-WA - Northwest Open Access Network
17444   | 59.188.2.106     | 59.188.0.0/19       | HK | apnic    | 2004-12-15 | NWT-AS-AP AS number for New World Telephone Ltd.
17839   | 61.106.114.185   | 61.106.112.0/22     | KR | apnic    | 2001-03-21 | DREAMPLUS-AS-KR DreamcityMedia
17964   | 60.206.86.215    | 60.206.64.0/19      | CN | apnic    | 2006-09-07 | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
17964   | 60.207.114.212   | 60.207.64.0/18      | CN | apnic    | 2006-09-07 | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
18566   | 66.134.147.162   | 66.134.146.0/23     | US | arin     | 2001-07-13 | COVAD - Covad Communications Co.
18566   | 66.166.253.228   | 66.166.252.0/23     | US | arin     | 2001-09-10 | COVAD - Covad Communications Co.
18566   | 67.101.181.77    | 67.101.176.0/21     | US | arin     | 2003-04-18 | COVAD - Covad Communications Co.
18779   | 205.164.22.2     | 205.164.0.0/18      | US | arin     | 2011-08-05 | EGIHOSTING - EGIHosting
19318   | 66.45.242.74     | 66.45.224.0/19      | US | arin     | 2003-09-23 | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
19479   | 64.238.149.47    | 64.238.148.0/22     | US | arin     | 2010-02-18 | CERVALIS - CERVALIS LLC
20001   | 76.178.122.77    | 76.178.112.0/20     | US | arin     | 2006-07-26 | ROADRUNNER-WEST - Time Warner Cable Internet LLC
20115   | 64.83.195.31     | 64.83.192.0/20      | US | arin     | 2001-06-22 | CHARTER-NET-HKY-NC - Charter Communications
20115   | 71.15.234.175    | 71.15.224.0/20      | US | arin     | 2004-10-01 | CHARTER-NET-HKY-NC - Charter Communications
20115   | 75.134.107.148   | 75.134.96.0/20      | US | arin     | 2006-07-17 | CHARTER-NET-HKY-NC - Charter Communications
20115   | 75.143.122.221   | 75.143.96.0/19      | US | arin     | 2006-07-17 | CHARTER-NET-HKY-NC - Charter Communications
20214   | 50.138.8.65      | 50.138.0.0/17       | US | arin     | 2010-10-21 | COMCAST-20214 - Comcast Cable Communications Holdings, Inc
22258   | 75.64.140.149    | 75.64.0.0/15        | US | arin     | 2006-07-07 | COMCAST-22258 - Comcast Cable Communications Holdings, Inc
22258   | 75.64.198.152    | 75.64.0.0/15        | US | arin     | 2006-07-07 | COMCAST-22258 - Comcast Cable Communications Holdings, Inc
22773   | 68.9.67.83       | 68.9.0.0/16         | US | arin     | 2001-11-12 | ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.
22773   | 70.178.63.210    | 70.178.0.0/16       | US | arin     | 2004-07-21 | ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.
22909   | 50.147.126.18    | 50.147.0.0/17       | US | arin     | 2010-10-21 | COMCAST-22909 - Comcast Cable Communications, Inc.
22909   | 68.32.105.231    | 68.32.96.0/20       | US | arin     | 2001-11-29 | COMCAST-22909 - Comcast Cable Communications, Inc.
22909   | 69.247.128.89    | 69.247.128.0/19     | US | arin     | 2004-02-11 | COMCAST-22909 - Comcast Cable Communications, Inc.
24896   | 81.21.15.13      | 81.21.12.0/22       | UA | ripencc  | 2002-02-07 | INTELLECOM-AS Intellectual Communications, Limited Liability Company
24940   | 88.198.215.250   | 88.198.0.0/16       | DE | ripencc  | 2005-12-27 | HETZNER-AS Hetzner Online AG
25233   | 78.93.217.162    | 78.93.0.0/16        | SA | ripencc  | 2007-07-19 | AWALNET-ASN Arab Company For Internet & Communications Services (AwalNet)LLC
25674   | 68.71.115.218    | 68.71.112.0/22      | US | arin     | 2009-04-06 | AS25674 - Excel Telecommunications
26832   | 67.220.144.54    | 67.220.144.0/24     | US | arin     | 2008-01-09 | RICAWEBSERVICES - Rica Web Services
27364   | 72.23.49.245     | 72.23.32.0/19       | US | arin     | 2004-12-06 | ACS-INTERNET - Armstrong Cable Services
29632   | 62.205.136.229   | 62.205.128.0/19     | UA | ripencc  | 2008-02-01 | NASSIST-AS NetAssist LLC
29761   | 66.212.31.130    | 66.212.30.0/23      | US | arin     | 2006-11-28 | OC3-NETWORKS-AS-NUMBER Web Africa Proxy aut-num object
30693   | 173.44.243.92    | 173.44.128.0/17     | US | arin     | 2009-12-11 | EONIX-CORPORATION-AS-WWW-EONIX-NET - Eonix Corporation
31477   | 83.137.146.63    | 83.137.144.0/21     | NL | ripencc  | 2004-05-26 | DUOCAST-AS Duocast B.V.
33203   | 64.8.104.115     | 64.8.96.0/19        | US | arin     | 2003-10-17 | THE-ALDRIDGE-NETWORK - The Aldridge Company
33491   | 50.151.180.88    | 50.151.0.0/16       | US | arin     | 2010-10-21 | COMCAST-33491 - Comcast Cable Communications, Inc.
33491   | 68.46.213.244    | 68.46.208.0/20      | US | arin     | 2001-11-29 | COMCAST-33491 - Comcast Cable Communications, Inc.
33491   | 71.201.141.134   | 71.201.0.0/16       | US | arin     | 2005-07-27 | COMCAST-33491 - Comcast Cable Communications, Inc.
33491   | 71.201.235.103   | 71.201.0.0/16       | US | arin     | 2005-07-27 | COMCAST-33491 - Comcast Cable Communications, Inc.
33491   | 71.239.236.134   | 71.239.0.0/16       | US | arin     | 2005-04-15 | COMCAST-33491 - Comcast Cable Communications, Inc.
33491   | 75.145.142.163   | 75.145.128.0/18     | US | arin     | 2006-09-25 | COMCAST-33491 - Comcast Cable Communications, Inc.
33650   | 76.28.214.236    | 76.28.128.0/17      | US | arin     | 2006-06-28 | COMCAST-33650 - Comcast Cable Communications, Inc.
33651   | 67.188.241.97    | 67.188.0.0/16       | US | arin     | 2002-12-16 | CMCS - Comcast Cable Communications, Inc.
33652   | 71.229.196.107   | 71.229.128.0/17     | US | arin     | 2005-04-15 | CMCS - Comcast Cable Communications, Inc.
33659   | 50.192.240.5     | 50.192.224.0/19     | US | arin     | 2010-10-21 | CMCS - Comcast Cable Communications, Inc.
33668   | 69.245.66.83     | 69.245.64.0/18      | US | arin     | 2004-02-11 | CMCS - Comcast Cable Communications, Inc.
33668   | 71.205.199.192   | 71.205.0.0/16       | US | arin     | 2005-07-27 | CMCS - Comcast Cable Communications, Inc.
34072   | 84.247.224.230   | 84.247.192.0/18     | IT | ripencc  | 2004-10-13 | QNET-AS Qnet Srl
34168   | 84.53.206.10     | 84.53.192.0/18      | RU | ripencc  | 2004-11-05 | ELCOM-ISP-AS OJSC Rostelecom
34619   | 85.159.65.66     | 85.159.65.0/24      | TR | ripencc  | 2005-02-28 | CIZGI Cizgi Telekomunikasyon Hizmetleri Sanayi Ve Ticaret Limited Sirketi
34781   | 85.218.32.44     | 85.218.0.0/17       | CH | ripencc  | 2005-01-25 | SIMA-LAUSANNE-AS Service Multimedia
35389   | 87.236.47.44     | 87.236.40.0/21      | RU | ripencc  | 2005-07-21 | KRASLAN-AS OJSC Rostelecom
36351   | 74.86.231.137    | 74.86.0.0/16        | US | arin     | 2007-05-16 | SOFTLAYER - SoftLayer Technologies Inc.
39582   | 89.106.21.20     | 89.106.0.0/19       | TR | ripencc  | 2006-03-21 | GRID Grid Bilisim Teknolojileri A.S.
39785   | 89.105.159.141   | 89.105.159.0/24     | RU | ripencc  | 2006-03-16 | RU-MULTINET-AS Multi-Net plus Ltd
40431   | 64.87.52.99      | 64.87.32.0/19       | US | arin     | 2010-01-08 | TRAVAIL-SYSTEMS - ColocateUSA
42910   | 78.111.97.74     | 78.111.97.0/24      | TR | ripencc  | 2007-09-10 | SADECEHOSTING-COM Hosting Internet Hizmetleri Sanayi ve Ticaret Anonim Sirketi
43003   | 62.93.120.236    | 62.93.120.0/21      | AT | ripencc  | 2007-04-12 | KAUFMANN Kaufmann Gesellschaft m.b.H.
43179   | 77.74.227.30     | 77.74.227.0/24      | BA | ripencc  | 2007-04-26 | TEAMC-AS Team Consulting d.o.o.
43391   | 77.223.142.26    | 77.223.128.0/20     | TR | ripencc  | 2007-04-24 | NETDIREKT-TR Netdirekt A.S.
44160   | 77.220.80.12     | 77.220.64.0/19      | IT | ripencc  | 2007-03-20 | INTERNETONE Internet ONE SRL
46817   | 74.114.234.18    | 74.114.234.0/24     | US | arin     | 2009-06-16 | MTAINC - Midwest Telecom of America, Inc
47385   | 79.174.68.54     | 79.174.64.0/19      | RU | ripencc  | 2008-06-06 | HOSTING-COMPANY-AS Hosting center Ltd.
48832   | 80.90.171.205    | 80.90.171.0/24      | JO | ripencc  | 2001-09-07 | ZAIN-JO Linkdotnet-Jordan
51852   | 81.17.19.149     | 81.17.16.0/20       | CH | ripencc  | 2011-08-29 | PLI-AS Private Layer INC
61164   | 77.75.122.100    | 77.75.122.0/24      | GB | ripencc  | 2007-05-10 | VIOCOM-AS VICOMNETWORKS LTD