On CHOW: Why are shopping carts so hard to steer?
BNET Business Network:
BNET
TechRepublic
ZDNet
TalkBack 18 of 27:
Next »
« Previous
Bot-threat upgrade--new version threaten nets
In September and October, 2003 my firewall recorded an average of 150 hits per day, excluding the Nachi worm probes.

In November and December, again excluding Nachi worm probes, the hit count rose to an average of just over 200 per day.

January = 378 per day
February = 592 per day
March = 852 per day
April = 1334 per day (2 half days included)

Nachi worm probes are not a factor after Jan 3, and is exluded before that date.

This gradual but exponential increase in probes is compatible with bot activity as described in the article.

The article notes that "bots are generally commanded to search smaller networks for new systems to infect, reducing the amount of bandwidth that compromised servers produce and making the programs less obvious."

That is a salient characteristic of the probe activity I am experiencing, which originates largely from the local UUnet network servicing my Earthlink DSL connection. (63.13.xxx.xxx)

Of the 6992 probes against my firewall in the last 4 days, only 62 of the 480 source IP's originating two or more probes have fallen outside the local network IP range. None of those originated more than 13 hits.

Source IP's within the local network originated virtually all of the probes:
IP Address,Hits,HostName
63.13.224.198,600,
63.13.224.145,464,
63.13.224.191,241,
63.13.224.200,240,
63.13.224.208,236,
63.13.224.55,185,2Cust55.VR1.PAO1.broadband.uu.net
63.13.224.121,180,
63.13.224.28,175,2Cust28.VR1.PAO1.broadband.uu.net
63.13.224.201,163,
63.13.226.94,142,
63.13.224.118,134,
63.13.205.32,121,
63.13.226.49,115,
63.13.226.92,104,
63.13.224.220,77,
63.13.224.253,76,
63.13.224.37,70,2Cust37.VR1.PAO1.broadband.uu.net
63.13.232.169,68,
63.13.224.99,67,
63.13.224.80,62,2Cust80.VR1.PAO1.broadband.uu.net
63.13.224.18,60,
63.13.224.227,56,
63.13.224.162,37,
etc.

This reinforces my belief that the traffic is bot related. Since these IP addresses are assigned to connections, not to machines, the only way machines originating them can be identified is through the cooperation of the ISP's owning the connections. I have appealed to both UUnet and Earthlink. UUnet has not responded.

Earthlink's response to my first submission of lists of hits from their IP's was to tell me they needed a copy of the "email I had forwarded" with "full header information"! Earthlink's second response advised me that these probes were from their RADIUS servers.

However RADIUS server probes (which I do get) do not come from the UUnet IP range, do not originate from a large number of different source ports, and are not directed exclusively at target ports 21, 25, 80, 111, 135 (2336 hits), 137 (304 hits), 139 (637 hits), 445 (1150 hits).

Of course, I am not satisfied with Earthlink's response. Neither am I satisfied that any of the ISP's, or the communications providers like MCI/UUnet which are supporting them, are being proactive enough in identifying and eliminating 'bot traffic on the subnets they use to service ISP customers.
Posted by: jpivonka@...   Posted on: 04/30/04 You are currently: a Guest | Members login | Terms of Use
Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Do I need to patch my systems?  Martin Marvinski | 04/30/04
Not to this particular attack!  ShadeTree | 04/30/04
this is a class of attack, not a single attack's handle!  oldskool | 04/30/04
Not to this particular attack!  ShadeTree | 04/30/04
Yes, yes you do...  boomslang_z | 05/01/04
Oh no! The bots that come with WinXP will be jealous!  Xunil_Sierutuf | 04/30/04
Folks, it's time...  BitTwiddler | 04/30/04
Starting with Microsoft fixing THEIR OS laws are ineffective  Squawkbox | 05/01/04
Re: Folks its time  ronsmith_z | 05/03/04
You can always count on Microsoft...  bjbrock | 04/30/04
Windows worms via Linux update?  brian.smith@... | 04/30/04
There is nothing wrong with...  +-Chris-+ | 04/30/04
bots are already here  kgosnell@... | 04/30/04
One minor correction  Chad_z | 04/30/04
You Got Infected While "Uploading"???  nikoli | 05/01/04
All it takes is a connection to the net....  tgrady | 05/03/04
ERROR: Excessive Dorkage Detectected...  boomslang_z | 05/02/04
Bot-threat upgrade--new version threaten nets  jpivonka@... | 04/30/04
earthlink.net  old1940ford | 05/03/04
Part of these problems  ParadigmOdyssey | 04/30/04
M$: This problem NOT critical...  MRBOWTIE | 05/01/04
Not Surprising at all...  boomslang_z | 05/02/04
Eliminate viruses and worms forever  louiebergsagel@... | 05/05/04
Microsoft's Responsibility  ghdavis | 05/06/04
Are There Really 3(XI00,000,000)Blind Mice?  rjh536@... | 05/07/04
re: spyware problem  here | 07/11/04
P2P Much better than spam. Use Emule to take the bandwidth away from them  GreatInca | 02/24/05

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here
advertisement

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and