polarhome under DoS attack

Troubleshooting with your custom scripts/programs installed on Polarhome.

Moderator: Moderators

polarhome under DoS attack

Postby zoli » Wed Apr 02, 2008 11:00 pm

Seems from 12'o clock polarhome is under DoS attack from the following hosts:

Code: Select all
206-221-184-164.fndns.net
ns.km10336.keymachine.de
hd-t2150cl.privatedns.com


Attack looks like this:
Code: Select all
22:42:47.144882 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.kerberos:
22:42:47.144921 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.bnt-manager: UDP, length 22
22:42:47.144960 IP hd-t2150cl.privatedns.com.39124 > 168.31.227.87.static.dre.siw.siwnet.net.de-server: UDP, length 22
22:42:47.147364 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.acp-proto: UDP, length 22
22:42:47.147458 IP 206-221-184-164.fndns.net.54003 > 168.31.227.87.static.dre.siw.siwnet.net.226: UDP, length 22
22:42:47.147505 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.5597: UDP, length 22
22:42:47.147552 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.blwnkl-port: UDP, length 22
22:42:47.147591 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.nbx-ser: UDP, length 22
22:42:47.147628 IP hd-t2150cl.privatedns.com.39124 > 168.31.227.87.static.dre.siw.siwnet.net.dttl: UDP, length 22
22:42:47.147673 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.5835: UDP, length 22
22:42:47.147714 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.ibridge-data: UDP, length 22
22:42:47.147756 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.4192: UDP, length 22
22:42:47.147804 IP 206-221-184-164.fndns.net.54006 > 168.31.227.87.static.dre.siw.siwnet.net.xnm-clear-text: UDP, length 22
22:42:47.147810 IP 168.31.227.87.static.dre.siw.siwnet.net.64125 > ns.naamserver.net.domain: 58575% [1au] PTR? 28.255.79.212.in-addr.arpa. (55)
22:42:47.147851 IP hd-t2150cl.privatedns.com.39124 > 168.31.227.87.static.dre.siw.siwnet.net.5681: UDP, length 22
22:42:47.147893 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.nati-vi-server: UDP, length 22
22:42:47.147932 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.1797: UDP, length 22
22:42:47.147976 IP 206-221-184-164.fndns.net.54009 > 168.31.227.87.static.dre.siw.siwnet.net.cautcpd: UDP, length 22
22:42:47.148021 IP hd-t2150cl.privatedns.com.39124 > 168.31.227.87.static.dre.siw.siwnet.net.suucp: UDP, length 22
22:42:47.148057 IP hd-t2150cl.privatedns.com.39124 > 168.31.227.87.static.dre.siw.siwnet.net.re-conn-proto: UDP, length 22
22:42:47.148344 IP 206-221-184-164.fndns.net.54014 > 168.31.227.87.static.dre.siw.siwnet.net.5507: UDP, length 22
22:42:47.184638 IP 168.31.227.87.static.dre.siw.siwnet.net.smtp > 135.Red-81-36-36.dynamicIP.rima-tde.net.4130: R 0:0(0) ack 3501220229 win 0
22:42:47.186102 IP 168.31.227.87.static.dre.siw.siwnet.net > tserv1.fmt.ipv6.he.net: IP6 polarhome-pt.tunnel.tserv1.fmt.ipv6.he.net.7825 > rbldnsd1.dnsbl.bit.nl.domain: 58505% [1au][|domain]
22:42:47.205514 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.taligent-lm: UDP, length 22
22:42:47.205610 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.4913: UDP, length 22
22:42:47.205737 IP 206-221-184-164.fndns.net.56304 > 168.31.227.87.static.dre.siw.siwnet.net.ms-streaming: UDP, length 22
22:42:47.205806 IP 206-221-184-164.fndns.net.56305 > 168.31.227.87.static.dre.siw.siwnet.net.asdis: UDP, length 22
22:42:47.205848 IP 206-221-184-164.fndns.net.56306 > 168.31.227.87.static.dre.siw.siwnet.net.docent: UDP, length 22
22:42:47.205889 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.4961: UDP, length 22
22:42:47.205930 IP ns.km10336.keymachine.de.35759 > 168.31.227.87.static.dre.siw.siwnet.net.ora-lm: UDP, length 22
22:42:47.205971 IP 206-221-184-164.fndns.net.56309 > 168.31.227.87.static.dre.siw.siwnet.net.4548: UDP, length 22
22:42:47.206010 IP 206-221-184-164.fndns.net.56312 > 168.31.227.87.static.dre.siw.siwnet.net.starbot: UDP, length 22
22:42:47.206046 IP 206-221-184-164.fndns.net.56315 > 168.31.227.87.static.dre.siw.siwnet.net.dbref: UDP, length 22
22:42:47.206085 IP 206-221-184-164.fndns.net.56317 > 168.31.227.87.static.dre.siw.siwnet.net.vpvd: UDP, length 22
22:42:47.206453 IP 206-221-184-164.fndns.net.56323 > 168.31.227.87.static.dre.siw.siwnet.net.wrs_registry: UDP, length 22
22:42:47.206539 IP 206-221-184-164.fndns.net.56324 > 168.31.227.87.static.dre.siw.siwnet.net.gbjd816: UDP, length 22
22:42:47.208202 IP 206-221-184-164.fndns.net.56388 > 168.31.227.87.static.dre.siw.siwnet.net.5134: UDP, length 22
22:42:47.208313 IP 206-221-184-164.fndns.net.56391 > 168.31.227.87.static.dre.siw.siwnet.net.citrixima: UDP, length 22
22:42:47.209904 IP 206-221-184-164.fndns.net.56476 > 168.31.227.87.static.dre.siw.siwnet.net.jmact6: UDP, length 22
22:42:47.209958 IP 206-221-184-164.fndns.net.56480 > 168.31.227.87.static.dre.siw.siwnet.net.mgcp-gateway: UDP, length 22
22:42:47.210000 IP 206-221-184-164.fndns.net.56482 > 168.31.227.87.static.dre.siw.siwnet.net.opus-services: UDP, length 22
22:42:47.210038 IP 206-221-184-164.fndns.net.56486 > 168.31.227.87.static.dre.siw.siwnet.net.watcomdebug: UDP, length 22
22:42:47.210082 IP 206-221-184-164.fndns.net.56489 > 168.31.227.87.static.dre.siw.siwnet.net.ms-olap3: UDP, length 22
22:42:47.210122 IP 206-221-184-164.fndns.net.56492 > 168.31.227.87.static.dre.siw.siwnet.net.ups-engine: UDP, length 22
22:42:47.210161 IP 206-221-184-164.fndns.net.56494 > 168.31.227.87.static.dre.siw.siwnet.net.811: UDP, length 22
22:42:47.210203 IP 206-221-184-164.fndns.net.56497 > 168.31.227.87.static.dre.siw.siwnet.net.nuxsl: UDP, length 22
22:42:47.210263 IP 206-221-184-164.fndns.net.56499 > 168.31.227.87.static.dre.siw.siwnet.net.wmc-log-svc: UDP, length 22
22:42:47.210308 IP 206-221-184-164.fndns.net.56500 > 168.31.227.87.static.dre.siw.siwnet.net.heartbeat: UDP, length 22
22:42:47.210348 IP 206-221-184-164.fndns.net.56504 > 168.31.227.87.static.dre.siw.siwnet.net.adobeserver-1: UDP, length 22
22:42:47.210387 IP 206-221-184-164.fndns.net.56507 > 168.31.227.87.static.dre.siw.siwnet.net.accelenet: UDP, length 22
22:42:47.210429 IP 206-221-184-164.fndns.net.56510 > 168.31.227.87.static.dre.siw.siwnet.net.stone-design-1: UDP, length 22
22:42:47.210472 IP 206-221-184-164.fndns.net.56511 > 168.31.227.87.static.dre.siw.siwnet.net.5712: UDP, length 22
22:42:47.210509 IP 206-221-184-164.fndns.net.56515 > 168.31.227.87.static.dre.siw.siwnet.net.exapt-lmgr: UDP, length 22
22:42:47.210686 IP 206-221-184-164.fndns.net.56516 > 168.31.227.87.static.dre.siw.siwnet.net.hp-hcip: UDP, length 22
22:42:47.210744 IP 206-221-184-164.fndns.net.56528 > 168.31.227.87.static.dre.siw.siwnet.net.csoft1: UDP, length 22
22:42:47.210785 IP 206-221-184-164.fndns.net.56546 > 168.31.227.87.static.dre.siw.siwnet.net.hcp-wismar: UDP, length 22
22:42:47.210823 IP 206-221-184-164.fndns.net.56560 > 168.31.227.87.static.dre.siw.siwnet.net.npmp-gui: UDP, length 22
22:42:47.210859 IP 206-221-184-164.fndns.net.56569 > 168.31.227.87.static.dre.siw.siwnet.net.megaregsvrport: UDP, length 22
22:42:47.210897 IP 206-221-184-164.fndns.net.56587 > 168.31.227.87.static.dre.siw.siwnet.net.avocent-proxy: UDP, length 22
22:42:47.210934 IP 206-221-184-164.fndns.net.56592 > 168.31.227.87.static.dre.siw.siwnet.net.efidiningport: UDP, length 22
22:42:47.210968 IP 206-221-184-164.fndns.net.56593 > 168.31.227.87.static.dre.siw.siwnet.net.5370: UDP, length 22
22:42:47.211004 IP 206-221-184-164.fndns.net.56596 > 168.31.227.87.static.dre.siw.siwnet.net.4865: UDP, length 22
22:42:47.211043 IP 206-221-184-164.fndns.net.56599 > 168.31.227.87.static.dre.siw.siwnet.net.twcss: UDP, length 22
22:42:47.211079 IP 206-221-184-164.fndns.net.56602 > 168.31.227.87.static.dre.siw.siwnet.net.4122: UDP, length 22
22:42:47.211116 IP 206-221-184-164.fndns.net.56604 > 168.31.227.87.static.dre.siw.siwnet.net.812: UDP, length 22
22:42:47.211643 IP 206-221-184-164.fndns.net.56607 > 168.31.227.87.static.dre.siw.siwnet.net.rtsserv: UDP, length 22
22:42:47.211740 IP 206-221-184-164.fndns.net.56608 > 168.31.227.87.static.dre.siw.siwnet.net.4910: UDP, length 22


The attack is absolutely harmless - except that it eats up the whole incoming bandwidth.
In fact it is not a big deal to perform a such attack as polarhome is running on ADSL lines and according to Alecta 93% of all internet sites are faster than polarhome.

Legal actions will be initiated against the attacker sites if they continue.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 785
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby zoli » Thu Apr 03, 2008 10:01 am

Hello,

fast action from fatnetwork side solved the lion part of this issue.

Code: Select all
-----Original Message-----
From: support@fatnetwork.com [mailto:support@fatnetwork.com]
Sent: den 3 april 2008 09:44
To: Arpadffy Zoltan
Subject: Re: [#619462] DoS attack from your hosts

Hello,

We have checked the server and found some malicious script in /tmp which causing this issue. We have removed those scripts and now issue has been taken care of.

--

Regards,
Ryan
http://fatnetwork.net/
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 785
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden


Return to Troubleshooting

Who is online

Users browsing this forum: No registered users and 21 guests

cron