Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Huge Ddos Attacks All Over Us!

[AmericanBizTech]

We are monitoring massive Distributed Denial of Service attacks all over the U.S. tonight starting at around 11:30 PM CST. As many as 5 of the 13 root nameserver have been down, up to 10 with massive packet loss (xx%):

Internet Status to Root Name Servers
Date: Fri Jan 24 21:37:00 PST 2003

Place Address Packet Loss Time: Min/Avg/Max
Root b.root-servers.net 53% 25/40/48
Root c.root-servers.net 0% 82/82/82
Root e.root-servers.net 20% 16/29/33
Root f.root-servers.net 26% 17/27/32
Root h.root-servers.net 20% 91/101/108
Root i.root-servers.net 26% 190/199/205
Root j.root-servers.net 26% 81/91/96
Root k.root-servers.net 64% 172/188/201
Root l.root-servers.net 0% 5/5/6
Root m.root-servers.net 33% 160/171/205
GTLD b.gtld-servers.net 26% 52/63/67
GTLD c.gtld-servers.net 31% 85/93/95
GTLD d.gtld-servers.net 13% 88/100/103
GTLD f.gtld-servers.net 22% 38/50/57
GTLD i.gtld-servers.net 0% 198/200/203
GTLD k.gtld-servers.net 24% 90/100/105
GTLD l.gtld-servers.net 33% 128/138/171


All backbone providers are suffering major packet loss (XX%):

Place Address Packet Loss Time: Min/Avg/Max
AboveNet ns.above.net 28% 53/64/66
AGIS ns1.agis.net 26% 62/74/78
AlohaNet nuhou.aloha.net 35% 84/94/98
ANS ns.ans.net 26% 83/97/100
BBN-NearNet nic.near.net 28% 91/114/572
BBN-BARRnet ns1.barrnet.net 26% 16/26/32
Best ns.best.com 35% 79/89/95
Concentric nameserver.concentric.net 35% 18/31/56
CW ns.cw.net 28% 88/98/105
DIGEX ns.digex.net 31% 78/86/91
ENTER.NET dns.enter.net 28% 91/104/108
Epoch Internet ns1.hlc.net 33% 37/48/52
Flash net ns1.flash.net 17% 80/92/94
GetNet ns1.getnet.com 20% 40/52/56
GlobalCrossing name.roc.gblx.net 24% 85/97/104
GoodNet ns1.good.net 31% 83/92/97
GridNet grid.net 20% 80/92/101
IDT Net ns.idt.net 20% 91/104/121
Internex nic1.internex.net 26% 18/31/35
MCI ns.mci.net 22% 91/103/107
MindSpring itchy.mindspring.net 15% 75/88/106
NAP.NET ns2.nap.net 20% 73/85/94
PacBell ns1.pbi.net 0% 89/89/90
Primenet dns1.primenet.net 20% 31/41/45
PSI ns.psi.net 0% 82/84/160
RAINet ns.rain.net 31% 40/49/53
SAVVIS ns1.savvis.net 31% 88/99/102
SprintLink ns1.sprintlink.net 11% 15/27/35
UUNet,AlterNet auth00.ns.uu.net 26% 89/98/103
Verio-West ns0.verio.net 22% 31/42/47
Verio-East ns1.verio.net 22% 86/96/101
VISInet ceylon.visinet.ca 20% 102/116/188
MoonGlobal-ClubNET ns.clubnet.net 0% 0/1/2
MoonGlobal-Netway dns.nwc.net 4% 6/6/7
MoonGlobal-Netxactics verdi.netxactics.com 4% 6/6/7
InterWorld ns.interworld.net 0% 4/4/5


It's massive, no word on source yet. We are watching it closely. This is upstream mostly, hitting the root name servers and backbone providers. Routes are dropping like flies, dns is getting bad.

[maxideus]

that explains why the sites i go to are now super slow.

[RMF]

That must explain why all my domains at "www.eHostingBiz.com" are down, including their site.

RMF

[Netbridge]

Thankyou.

Its all of us.

We have 100% loss on Sprint and 40% on Verio and 70% on UUNET.

[AmericanBizTech]

http://average.matrix.net/Daily/markP.gif


http://average.matrix.net/Daily/markR.gif

[AmericanBizTech]

Internap is toast too:

http://www.internetpulse.net/

[VP]

Is this the end of the Internet Civilization? Oh well i'm going to sleep

[trafficbuild]

Good nite

[SolidJoe]

We are noticing it as well. It looks to be attacking on port 1434, the MS-SQL monitor service. My guess is its some sort of virus/trojan set to launch on this date. Here are some ips that have been attacking us:

204.157.2.6
207.177.224.71
219.129.20.62
218.4.51.99
168.143.107.182
213.206.72.71
213.227.130.223

As you can see it seems to be worldwide.

209.5.47.69.3892 > 192.168.0.101.1434: udp 376
0x0000 4500 0194 7123 0000 6f11 17de d105 2f45 E...q#..o...../E
0x0010 c0a8 0065 0f34 059a 0180 64bf 0401 0101 ...e.4....d.....
0x0020 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0030 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0040 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0050 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0060 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0070 0101 0101 0101 0101 0101 0101 01dc c9b0 ................
0x0080 42eb 0e01 0101 0101 0101 70ae 4201 70ae B.........p.B.p.
0x0090 4290 9090 9090 9090 9068 dcc9 b042 b801 B........h...B..
0x00a0 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1...P..5....P
0x00b0 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 ..Qh.dllhel32hke
0x00c0 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
0x00d0 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf.llQh32.dhws2
0x00e0 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f.etQhsockf.toQ
0x00f0 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend....B.E.P..
0x0100 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.E.P.E.P..P....
0x0110 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U..Qt.....
0x0120 42ff 16ff d031 c951 5150 81f1 0301 049b B....1.QQP......
0x0130 81f1 0101 0101 518d 45cc 508b 45c0 50ff ......Q.E.P.E.P.
0x0140 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j...P.E.P.E
0x0150 c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 .P........

Thats a capture of the packet. Not sure what it means, but it repeats itself whenever it tries to connect again, and the drones seem to retry their attempts. This is just what we've noticed so far...

[aht]

The goverment or someone need to put a stop to this crap!

[AmericanBizTech]

More info on this:

When the SQL Server 2000 client Net-Libraries connect to an instance of SQL Server 2000, only the network name of the computer running the instance and the instance name are required. When an application requests a connection to a remote computer, Dbnetlib.dll opens a connection to UDP port 1434 on the computer network name specified in the connection. All computers running an instance of SQL Server 2000 listen on this port. When a client Dbnetlib.dll connects to this port, the server returns a packet listing all the instances running on the server. For each instance, the packet reports the server Net-Libraries and network addresses the instance is listening on. After the Dbnetlib.dll on the application computer receives this packet, it chooses a Net-Library that is enabled on both the application computer and on the instance of SQL Server, and makes a connection to the address listed for that Net-Library in the packet. The connection attempt fails only if:

1. The requested instance of SQL Server 2000 is not running.

2. None of the Net-Libraries that the instance of SQL Server 2000 is listening on is active on the application computer.

So the UDP 1434 port is open when the SQL Server is started to listen all the clients with any IP address on this port. SQL Server only receives the packet from the client on this port to determine which instance the client attempts to access and return the related information of the SQL Server to the clients. Then, the clients can create the connection to the SQL Server with the protocol enabled on the server side.

[RMF]

Looks like the popular site www.GameSpy.com is also down.

RMF

[juicybucks]

sheesh, it's getting harder and harder to make a dollar these days. Half the internet is shagged including our trash !

[alwaysweb]

For unix hosts out there, I suppose it wouldn't hurt to block port 1434... Its late, but it may be something like:

# iptables -I INPUT --destination-port 1434 -j DROP

Thoughts?

[SolidJoe]

A lot of the problem is at the router level, where most of us don't have control. It's up to Verio, Above, UUNet, etc to drop this port for the time being. That can't hurt though.