Level3 routing issues?

Mailman List Mirror (Read Only)
1

Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks!

-hc

2

I dunno about that. But, I am seeing, in the last couple hours, all kinds
of new traffic.

like, customers who never get attacked or anything, all of a sudden:

  http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html

We are seeing this on ports all across out network -- nearly 1/2 our ports
are in delta alarm right now.

Anyone else?

I will dig more to look at the traffic.

3

Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over
the world to any address on my network.

4

Interesting, at almost the exact same time (call it 12:30), qwest dropped
all but 1000 routes through IAD...still trying to get somebody on the
phone at their IP noc, not having much luck. Genuity seems fine at the
moment...

Any speculation yet? Kind of an odd coincidence of problems...

Oh, just got through...fiber cut in DC?

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access

5

We just had a box inside one of my customers networks start sending tons
of small packets not sure what kind yet.

6

Same here...

My connecion with AADS has doubled in traffic, and everything else.

I've doubled my network traffic since 11:30ish PM CST...

If anyone has an idea of whats going on...

AS5006 is where I'm at.

-Eric

7

Internap has posted an alert noting widespread latency and packetloss
affecting all their pnaps.

Any SQL Server host at my facilily shows an enourmous traffic spike at the
times below. We've begun filtering udp port 1434 in/out.

8

We are also seeing this traffic at AS4436. Appears to be coming from IP
addresses all over the space. Here's a box that traps all of
165.227.0.0/16:

23:08:13.257197 165.194.123.131.1227 > 165.227.92.176.1434: udp 376
23:08:13.259778 129.187.150.78.2667 > 165.227.84.186.1434: udp 376
23:08:13.276695 61.40.143.242.3794 > 165.227.21.48.1434: udp 376
23:08:13.284191 128.218.133.213.1078 > 165.227.198.96.1434: udp 376
23:08:13.286648 169.229.141.44.1065 > 165.227.255.90.1434: udp 376
23:08:13.294512 218.232.109.22.3302 > 165.227.146.129.1434: udp 376
23:08:13.300412 137.79.10.100.2478 > 165.227.5.230.1434: udp 376
23:08:13.302869 128.143.100.86.1397 > 165.227.41.248.1434: udp 376
23:08:13.317327 203.226.64.220.3081 > 165.227.216.188.1434: udp 376
23:08:13.319908 209.41.170.8.4033 > 165.227.252.85.1434: udp 376
23:08:13.322365 64.71.177.201.2439 > 165.227.128.21.1434: udp 376
23:08:13.327937 216.120.60.154.3005 > 165.227.125.156.1434: udp 376
23:08:13.330435 64.239.145.3.3231 > 165.227.4.161.1434: udp 376
23:08:13.333016 204.228.229.106.4049 > 165.227.238.69.1434: udp 376
23:08:13.335350 212.209.231.186.52703 > 165.227.38.136.1434: udp 376
23:08:13.337930 207.46.200.162.2343 > 165.227.96.170.1434: udp 376
23:08:13.340388 61.178.83.30.4525 > 165.227.77.119.1434: udp 376
23:08:13.342887 62.250.16.28.1385 > 165.227.119.91.1434: udp 376
23:08:13.345468 66.155.116.10.1041 > 165.227.106.35.1434: udp 376
23:08:13.362506 207.226.255.124.2331 > 165.227.189.42.1434: udp 376
23:08:13.364964 63.241.139.196.1150 > 165.227.135.221.1434: udp 376
23:08:13.367422 66.109.239.200.1117 > 165.227.67.250.1434: udp 376
23:08:13.370042 194.100.187.36.2342 > 165.227.103.27.1434: udp 376
23:08:13.372501 158.38.141.86.3269 > 165.227.239.113.1434: udp 376
23:08:13.374959 212.71.66.23.2019 > 165.227.232.118.1434: udp 376
23:08:13.377417 158.38.141.65.1382 > 165.227.169.58.1434: udp 376
23:08:13.379915 130.127.8.157.2980 > 165.227.107.122.1434: udp 376
23:08:13.382496 207.46.200.146.2718 > 165.227.49.107.1434: udp 376
23:08:13.386100 80.237.200.171.1198 > 165.227.93.216.1434: udp 376
23:08:13.388557 64.71.180.135.1915 > 165.227.38.41.1434: udp 376
23:08:13.394660 211.117.60.188.2806 > 165.227.49.12.1434: udp 376

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
Behalf Of Scott Granados
Sent: Friday, January 24, 2003 10:41 PM
To: Alex Rubenstein
Cc: hc; nanog@merit.edu
Subject: Re: Level3 routing issues?

We just had a box inside one of my customers networks start
sending tons of small packets not sure what kind yet.

>
>
> I dunno about that. But, I am seeing, in the last couple hours, all
> kinds of new traffic.
>
> like, customers who never get attacked or anything, all of a sudden:
>
>
>
http://mrtg.nac.net/switch9.oct.nac.net/3865/s>

witch9.oct.nac.net-3865.

9

Same here, I thought at first it was some really strange effect of my ATM switch upgrade as the traffic started almost at the exact same time. I am seeing a 100% increase in traffic right now and a chunk of my colo customer's machines are infected.

         ---Mike

10

MSSQL worm/DDOS/Exploit on UDP/1434

A bunch of us are blocking UDP/1434 destinations.

http://www.nextgenss.com/advisories/mssql-udp.txt

Larry Rosenman
Internet America/PDQ.NET/neosoft.com
AS4278/AS3764

11

Yup - got that. I sent my post to nanog quite a while ago. Unfortunetly,
it took a little while to come to life. :slight_smile: Gee, I wonder why?

We're doing some really cool blocking now. Now its time to get the
custoemrs to secure their boxen. :slight_smile:

-Eric