Tech Update

Time to get into my n3rd mode!

Last week has been hectic, for some strange reason I’ve been under attack.
Apparently it started last Sunday, but just for a breif moment…

Shit hits the fan, on Tuesday. My internet was taken down by my ISP. Got in touch, and found out that I was under a DOS attack.
Apparently they didn’t have a clue where it came from or what kind of traffic it was. Only that it was hitting my IP with good 5.5Gbit/s traffic flow…. This was around 10:00 in the morning…

After some research, they had narrow it down to TCP traffic, and apparently my servers was responding to some of the traffic. The traffic was coming from same source. A IP owned by HP.

16.32.64.128 – Geo Information
IP Address 16.32.64.128
Host 16.32.64.128
Location US, United States
City Palo Alto, CA 94304
Organization Hewlett-Packard Company
ISP Hewlett-Packard Company
AS Number AS71 Hewlett-Packard Company
Latitude 37°37’62” North
Longitude 122°18’26” West
Distance 10452.62 km (6494.96 miles)

With over 330 000 packets pr seconds, and with different destination port number. It was clearly a SYN Attack.

Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=16 ID=28522 DF PROTO=TCP SPT=35881 DPT=52685 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=15 ID=28522 DF PROTO=TCP SPT=42473 DPT=36088 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=16 ID=28522 DF PROTO=TCP SPT=56628 DPT=2934 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=16 ID=28522 DF PROTO=TCP SPT=42517 DPT=35819 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=15 ID=28522 DF PROTO=TCP SPT=37423 DPT=56811 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=16 ID=28522 DF PROTO=TCP SPT=55876 DPT=27605 WINDOW=61690 RES=0x18 SYN URGP=0
Dec 7 10:00:06 GATEWAY kernel: IN=eth2 OUT= MAC=X:X:X SRC=16.32.64.128 DST=188.126.223.10 LEN=1448 TOS=0x00 PREC=0x00 TTL=15 ID=28522 DF PROTO=TCP SPT=30176 DPT=13331 WINDOW=61690 RES=0x18 SYN URGP=0

TDC witch is the Backbone that I’m connected too, finally got the IP null-routed just before 16:00…
I was up and running again……

Didn’t have time to do investigation that night, since I’m in the middle of moving… And I thought the problem was gone… But apparently it was not. The next morning, again @ 10:00. It started again……

Quickly got in contact with my ISP, witch then again contact TDC NOC. The traffic was still coming from the same IP, guess the null route was deleted ????…. Once again it was null routed, and I was up an running again.

Talking to my ISP, irc.mzima.net came up… irc.mzima.net is a part of EFnet – The Original IRC Network…. And I remember setting up a shell account for a friend of mine to host a eggdrop.
irc.mzima.net is a part of EFnet – The Original IRC Network…. And checking the eggdrop’s config it was connected to EFnet….. That’s the only link I have found.. so killing the eggdrop, and delete my friends shell account… it looks like my Internett link is up and running again….

As I’m writing this… I can’t help notice that the ip (16.32.64.128), looks a bit strange……

16 * 1 = 16
16 * 2 = 32
16 * 4 = 64
16 * 8 = 128

At first glance, I was sure that this was a DOS attack, but looking at the IP, I can’t help wondering that this IP is just a bogus ip.
And that this attack is a more sophisticated attack. Like a DDOS with spoofed ip.….. Maybe HP is just a innocent by stander… There more I think of it.. I’m pretty sure this is the case… (well for now.. case closed).

Leave a Comments