Hi everybody,
Last two days I was under an interesting attack which comes from multiple
sources to three of my ADSL users destination.
The attack make router to ran out of CPU and we had to reload it to solve.
I ask those three users and they said we are only game players and all of
them were kids, I think they told the true, they told we are playing:
http://intl.garena.com/
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days.
I could'nt capture any packet but this is out put of my "show ip
accounting" that time:
Source Destination Packets Bytes
212.180.138.90 128.141.119.209 117 5148
135.62.255.246 128.141.119.209 117 5148
46.136.27.13 128.141.119.209 117 5148
25.181.84.74 128.141.119.209 117 5148
108.0.207.17 128.141.119.209 117 5148
181.95.89.1 128.141.119.209 117 5148
36.161.28.42 128.141.119.209 117 5148
39.130.139.157 128.141.119.209 117 5148
139.81.4.106 128.141.119.209 117 5148
3.229.28.78 128.141.119.209 117 5148
115.28.11.208 128.141.119.209 117 5148
206.42.151.199 128.141.119.209 117 5148
213.221.149.41 128.141.119.209 117 5148
81.203.234.196 128.140.109.209 117 5148
43.134.71.94 128.141.119.209 117 5148
157.69.74.39 128.141.119.209 117 5148
16.206.47.71 128.141.119.209 117 5148
77.25.17.243 128.141.119.209 117 5148
If you have any information in this field and you can help me to find who
is behind this, please share.
Thanks
Hi everybody,
Last two days I was under an interesting attack which comes from multiple
sources to three of my ADSL users destination.
You say that it comes from multiple sources to 3 of your DSL users.
The below source/dest though shows that the destination is from CERN in
Switzerland, you know the people who build black holes 
The IP does not ping at the moment, but the whois indicates 'dyn' in the
netname thus that is not too unsurprising.
The attack make router to ran out of CPU and we had to reload it to solve.
I ask those three users and they said we are only game players and all of
them were kids, I think they told the true, they told we are playing:
http://intl.garena.com/
Looks not like a game, just another messenger / IM client.
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days.
I could'nt capture any packet but this is out put of my "show ip
accounting" that time:
You'll be needing a bit more info than that... and 117 packets with a
total of 5148 bytes is not a lot of traffic to put anything down (unless
it is a targeted attack)
You might though contact the CERN NOC, if you really think something is
funny there. Timestamps might be very useful to provide though,
especially if the IP is really dynamic.
Greets,
Jeroen
I see these type of reflection/amplification attacks pretty frequently.
Some games (mostly older games) are exploitable in this manner. The
attacker sends a short spoofed request, and the game server sends back a
huge chunk of data aimed at you. The chances of you finding the actual
source are pretty slim. Usually this type of attack is going to be coming
from / going to a specific port that you (or your upstream provider) can
ACL.
Clayton
Those ip addresses I send were only sample, its 5 page 
and not only
those addresses.
And you are looking to target 128.141.X.Y its mine and I change it because
of mailing list, maybe attackers are here.
You must check the sources not destination.
Thanks
a message of 55 lines which said:
Those ip addresses I send were only sample, its 5 page 
and not
only those addresses.
Because the attacker attacks when they have a new opponent. They DoS
it long enough to win a race, then start a new fight in the game.
And you are looking to target 128.141.X.Y its mine and I change it because
of mailing list, maybe attackers are here.
You must check the sources not destination.
What Jeroen said is that source IP addresses are spoofed (which is
common with UDP-based protocols such as the DNS). They are the
victim's addresses, not the attacker's.
Those ip addresses I send were only sample, its 5 page and not only
those addresses.
And you are looking to target 128.141.X.Y its mine
128.141.0.0/16 is CERN in Switzerland.
Thus not yours, but "owned"(*) by noc@cern.ch.
(unless you work there, but I don't think that is the case...)
If you have the need to hide your IP addresses, then do so properly by
marking them as x.x.x.x, don't use other people's IP addresses as
examples that only causes alarm bells to ring and people to do
unnecessary work. And then the next time you complain people will nicely
just ignore you.
and I change it
because of mailing list, maybe attackers are here.
Obviously you have something to hide from and something that those
attackers want to attack.
That is the first problem that you need to solve IMHO, not having
anything that needs to be attacked is a very good strategy.
Greets,
Jeroen
(* = pre-RIR alloc, then then it is more 'owned' right? 
Hi.
The IPs you see is the exploited gameservers, so "just" contact them, and send them the link below.
There is a workaround for it:
http://rankgamehosting.ru/index.php?showtopic=1320
We have had problem with this in the past. Usually we get "abuse complaints" from the admin of the game server(s) claiming one of our customers is DDoSing them, when in fact their servers are used to DDoS our customer(s).
After explaining how the DDoS works and sending them the link above, they fix the problem on their side.
We have also tried to send abuse messages to the ISPs of the exploited servers, and can't say that we are pleased with the response, the small ISPs responded and took care of the issue (talked with their customers), most big ones didn't even send a ACK back.
When this attack type was used (1+ year ago) we had aprox 3.5 Gbit coming from the gameservers.
Attacks on gaming systems or at the gamers themselves are unfortunately
quite common. Many of the DNS 'IN ANY' amplification and reflection
attacks for instance appear to involve online games. We've also seen
some similar reflection attacks involving CoD systems as someone else
alluded in a link post. Dissimilar in attack profile, but similar in
target were the frequent, but brief Xbox packet floods that attempted
to disrupt a gamer's session.
It can be extremely difficult to assign attribution for any particular
attack without a great deal of effort on your part, often in being
prepared with lots of data collection in advance, plus the selfless
cooperation of other network operators. The latter is often the
biggest challenge given that you're often relying on the good will and
limited available time of 3rd parties to work on it.
While many of the most recent attacks are performing address spoofing,
collecting raw packet detail and knowing where it enters your network
can offer at least the start of where to look for it. You can at least
start with your peer or upstream. Examine IP TTLs to gauge at least
how far back those packets are coming from. If your network is
diverse enough from a global routing perspective, you may be able to
triangulate it better.
I'd be particularly interested in working with folks in tracking down
the DNS 'IN ANY' style attacks to the attack code or source attacks.
Please shoot me an email off list or see me at NANOG 57 to discuss.
John