<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thanks for the replies,<div><br></div><div>I've send messages to a couple of people off-list.</div><div><br></div><div>It started around 7:30PM AEST. Ou<font size="3">r IPS flagged it as a syn attack from the Optus address listed, and the Telstra address it didn't </font>categorize<font size="3"> but there were an massive number of PPS from it.</font></div><div><span style="font-size: 12pt;">The on-site logging server had some issues today and I don't have access to much beyond a couple of alerts that came through last night unfortunately. </span></div><div><br></div><div>I've put in reverse path verification and enabled embryonic connections as a countermeasure.</div><div><br></div><div><br></div><div>Cheers,</div><div>Josh</div><div><br></div><div><br><br><div><hr id="stopSpelling">Date: Tue, 4 Mar 2014 15:35:24 +1100<br>From: russell3901@gmail.com<br>To: joshua.riesenweber@outlook.com<br>CC: ausnog@lists.ausnog.net<br>Subject: Re: [AusNOG] Traffic from Optus and Telstra CPE addresses<br><br><div dir="ltr"><div><div>Hi Joshua,<br><br></div><div>They both look like CPE addresses.<br></div><div><br></div>I think the first step would be to take traffic captures to confirm what kind of attack it is (ntp/snmp/dns/chargen) and then implement protections on your border to stop it impacting your customers/s.<br>
</div>If you can't implement protections, then at least with the packet captures can you approach the providers to maybe contact the customers to fix their problems, but this opens another can-o-worms.<br></div><div class="ecxgmail_extra">
<br><br><div class="ecxgmail_quote">On Tue, Mar 4, 2014 at 3:12 PM, Joshua Riesenweber <span dir="ltr"><<a href="mailto:joshua.riesenweber@outlook.com" target="_blank">joshua.riesenweber@outlook.com</a>></span> wrote:<br>
<blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr"><div><div dir="ltr">G'day 'noggers,<div><br></div><div><br></div><div>I had a customer hit with what looks like a DoS attack from (mainly) a couple of addresses address last night: </div><div>
<span style="font-size:12pt;"><b>220.239.56.245</b> [</span><span style="font-size:12pt;"><a href="http://c220-239-56-245.eburwd6.vic.optusnet.com.au" target="_blank">c220-239-56-245.eburwd6.vic.optusnet.com.au</a>]</span></div>
<div><span style="font-size:12pt;"><b>121.214.8.170</b> [</span><span style="font-size:12pt;"><a href="http://cpe-121-214-8-170.lnse3.win.bigpond.net.au" target="_blank">cpe-121-214-8-170.lnse3.win.bigpond.net.au</a>]</span></div>
<div><br></div><div>Any tips on tracking this kind of thing down/getting more information? (mainly for reporting) </div><div>I'm guessing by the PTR that second address is a customer endpoint, not Telstra equipment.</div>
<div><br></div><div><br></div><div><br></div><div><br></div><div>Cheers,</div><div>Josh </div> </div></div> </div></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog</div></div> </div></body>
</html>