The attack started around 03:05:07 EST on Saturday, December 12th, 2009. As far as I know, the attack is still going on. My service provider has null routed the target IP (old IP for www.nullamatix.com), at least until the attack subsides. Fortunately, Nullamatix.com is back up and running as of 14:30:00 EST on Sunday, December 13th, 2009. Here are some details of the attack.
The Involved
These IP addresses contributed to the 133MB worth of dropped firewall log data generated between 03:05:07 and 03:40:00. I imagine by 03:40, the entire pipe was filled and iptables wasn't seeing anything else to drop, hence the decline in the number of packets.
| Source IP | - | # of Packets |
| 140.128.64.168 | - | 251029 |
| 84.19.172.30 | - | 163157 |
| 213.74.4.160 | - | 135143 |
| 85.12.42.240 | - | 77208 |
| 72.18.196.223 | - | 74521 |
| 81.27.32.250 | - | 5685 |
| 92.48.68.32 | - | 1421 |
| 85.10.128.63 | - | 364 |
| 87.118.126.165 | - | 254 |
| 79.140.64.133 | - | 153 |
| 62.193.228.104 | - | 106 |
| 213.186.46.163 | - | 61 |
| 212.58.5.194 | - | 32 |
| 192.83.166.21 | - | 23 |
| 79.132.212.7 | - | 21 |
| 204.16.241.176 | - | 14 |
CIDR for The Involved
For anyone interested, here are the CIDR blocks for the involved networks:
[nullamatix.com ~]:# ip route show | sed 's/unreachable //;s/ scope.*$//' | grep -v ' dev' 140.128.0.0/13 84.19.160.0/19 213.74.0.0/16 85.12.0.0/18 72.18.192.0/20 81.27.32.0/20 92.48.64.0/18 85.10.128.0/20 87.118.64.0/18 79.140.64.0/20 62.193.192.0/18 213.186.32.0/19 212.58.0.0/19 192.83.166.0/23 79.132.192.0/19 204.16.240.0/21
Null Route The Involved
Here's how to null route these networks:
route add -net 140.128.0.0/13 reject route add -net 84.19.160.0/19 reject route add -net 213.74.0.0/16 reject route add -net 85.12.0.0/18 reject route add -net 72.18.192.0/20 reject route add -net 81.27.32.0/20 reject route add -net 92.48.64.0/18 reject route add -net 85.10.128.0/20 reject route add -net 87.118.64.0/18 reject route add -net 79.140.64.0/20 reject route add -net 62.193.192.0/18 reject route add -net 213.186.32.0/19 reject route add -net 212.58.0.0/19 reject route add -net 192.83.166.0/23 reject route add -net 79.132.192.0/19 reject route add -net 204.16.240.0/21 reject
IPTable DROP The Involved
And here's how to drop incoming data from these networks with IP tables:
iptables -A INPUT -s 140.128.0.0/13 -j DROP iptables -A INPUT -s 84.19.160.0/19 -j DROP iptables -A INPUT -s 213.74.0.0/16 -j DROP iptables -A INPUT -s 85.12.0.0/18 -j DROP iptables -A INPUT -s 72.18.192.0/20 -j DROP iptables -A INPUT -s 81.27.32.0/20 -j DROP iptables -A INPUT -s 92.48.64.0/18 -j DROP iptables -A INPUT -s 85.10.128.0/20 -j DROP iptables -A INPUT -s 87.118.64.0/18 -j DROP iptables -A INPUT -s 79.140.64.0/20 -j DROP iptables -A INPUT -s 62.193.192.0/18 -j DROP iptables -A INPUT -s 213.186.32.0/19 -j DROP iptables -A INPUT -s 212.58.0.0/19 -j DROP iptables -A INPUT -s 192.83.166.0/23 -j DROP iptables -A INPUT -s 79.132.192.0/19 -j DROP iptables -A INPUT -s 204.16.240.0/21 -j DROP
Feel free to ask any questions, I'll do my best to provide any information I can. Still have absolutely no idea what might have provoked such an attack.
Word Count: 573
