[AusNOG] Traffic from Optus and Telstra CPE addresses

Joshua Riesenweber josheymail at hotmail.com
Tue Mar 4 16:28:11 EST 2014


Thanks for the replies,
I've send messages to a couple of people off-list.
It started around 7:30PM AEST. Our IPS flagged it as a syn attack from the Optus address listed, and the Telstra address it didn't categorize but there were an massive number of PPS from it.The on-site logging server had some issues today and I don't have access to much beyond a couple of alerts that came through last night unfortunately. 
I've put in reverse path verification and enabled embryonic connections as a countermeasure.

Cheers,Josh


Date: Tue, 4 Mar 2014 15:35:24 +1100
From: russell3901 at gmail.com
To: joshua.riesenweber at outlook.com
CC: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Traffic from Optus and Telstra CPE addresses

Hi Joshua,

They both look like CPE addresses.

I think the first step would be to take traffic captures to confirm what kind of attack it is (ntp/snmp/dns/chargen) and then implement protections on your border to stop it impacting your customers/s.

If you can't implement protections, then at least with the packet captures can you approach the providers to maybe contact the customers to fix their problems, but this opens another can-o-worms.



On Tue, Mar 4, 2014 at 3:12 PM, Joshua Riesenweber <joshua.riesenweber at outlook.com> wrote:




G'day 'noggers,

I had a customer hit with what looks like a DoS attack from (mainly) a couple of addresses address last night:  
220.239.56.245 [c220-239-56-245.eburwd6.vic.optusnet.com.au]
121.214.8.170  [cpe-121-214-8-170.lnse3.win.bigpond.net.au]

Any tips on tracking this kind of thing down/getting more information? (mainly for reporting)  I'm guessing by the PTR that second address is a customer endpoint, not Telstra equipment.




Cheers,Josh  		 	   		   		 	   		  

_______________________________________________

AusNOG mailing list

AusNOG at lists.ausnog.net

http://lists.ausnog.net/mailman/listinfo/ausnog





_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140304/d63d9433/attachment.html>


More information about the AusNOG mailing list