[AusNOG] Traffic from Optus and Telstra CPE addresses
Joshua Riesenweber
josheymail at hotmail.com
Tue Mar 4 16:28:11 EST 2014
Thanks for the replies,
I've send messages to a couple of people off-list.
It started around 7:30PM AEST. Our IPS flagged it as a syn attack from the Optus address listed, and the Telstra address it didn't categorize but there were an massive number of PPS from it.The on-site logging server had some issues today and I don't have access to much beyond a couple of alerts that came through last night unfortunately.
I've put in reverse path verification and enabled embryonic connections as a countermeasure.
Cheers,Josh
Date: Tue, 4 Mar 2014 15:35:24 +1100
From: russell3901 at gmail.com
To: joshua.riesenweber at outlook.com
CC: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Traffic from Optus and Telstra CPE addresses
Hi Joshua,
They both look like CPE addresses.
I think the first step would be to take traffic captures to confirm what kind of attack it is (ntp/snmp/dns/chargen) and then implement protections on your border to stop it impacting your customers/s.
If you can't implement protections, then at least with the packet captures can you approach the providers to maybe contact the customers to fix their problems, but this opens another can-o-worms.
On Tue, Mar 4, 2014 at 3:12 PM, Joshua Riesenweber <joshua.riesenweber at outlook.com> wrote:
G'day 'noggers,
I had a customer hit with what looks like a DoS attack from (mainly) a couple of addresses address last night:
220.239.56.245 [c220-239-56-245.eburwd6.vic.optusnet.com.au]
121.214.8.170 [cpe-121-214-8-170.lnse3.win.bigpond.net.au]
Any tips on tracking this kind of thing down/getting more information? (mainly for reporting) I'm guessing by the PTR that second address is a customer endpoint, not Telstra equipment.
Cheers,Josh
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140304/d63d9433/attachment.html>
More information about the AusNOG
mailing list