Summary: A person with a grudge against Alan Brown has mounted at least
one attack against Manawatu Internet from an overseas site. While
their account in New Zealand (they are from Lower Hutt) has been nuked
they may have access to others and have friends with access. They have
made a threat to attack from a T3 connected site in the US which
could result in the International Link being swamped. Other sites
in New Zealand could also be attacked.
Below is the CERT email that summarizes much of the incident.
[ All the above is written by me, any errors are on my part - SJL ]
---------- Forwarded message ----------
Date: Thu, 22 Feb 96 17:17:06 EST
From: CERT Coordination Center <ce...@cert.org>
To: Alan Brown <al...@manawatu.planet.org.nz>
Cc: postm...@iit.edu, ar...@waikato.ac.nz, ce...@cert.org
Subject: CERT#7353 -- Re: ICMP attack from charlie.acc.iit.edu
All,
Alan: thanks for reporting this activity to us, and for including
iit.edu on your message. If, however, you don't receive any
feedback from the postm...@iit.edu account, you may want to
contact the InterNIC whois contact for the iit.edu domain:
Administrative Contact, Technical Contact, Zone Contact:
Von Borstel, Robert (RV49)
vo...@IIT.EDU
(312) 567 5809
All: We have assigned an internal reference number to this incident
and it is included in the subject line of this e-mail message.
This unique, random number will help us track correspondence
and coordinate our activities. We would appreciate your
including it in the subject line of future correspondence
about this incident.
iit.edu: we encourage you to check for signs of compromise using our
"CERT Generic Security Information" available from:
ftp://info.cert.org/pub/tech_tips/security_info
We encourage you to consult past CERT advisories, CERT
summaries and vendor bulletins, and apply those that may be
relevant to your particular configuration. We further
encourage you to make sure that you have obtained and
installed all other applicable patches or workarounds as
described in other past CERT advisories and bulletins,
including any of the generic advisories on services such as
rdist, tftp, ftpd, anonymous FTP, NFS, and sendmail.
Past CERT advisories, CERT summaries, and Vendor bulletins are
available from:
ftp://info.cert.org:/pub/cert_advisories
ftp://info.cert.org:/pub/cert_summaries
ftp://info.cert.org:/pub/cert_bulletins
If you do find that your site has been compromised, please
complete and return the Incident Reporting Form (appended
below). This completed form will help us better assist you.
Thanks.
All: unless we hear otherwise from you, we will consider this thread
of the incident addressed and closed, and there will be no
further follow-up from us on this incident.
Please don't hesitate to contact us if we can be of
assistance.
k
Katherine T. Fithen
Technical Coordinator
CERT(sm) Coordination Center
>
>
> Hi,
>
> I phoned in a report this morning of an ICMP flood attack from
> charlie.acc.iit.edu on the domain manawatu.gen.nz
> There have been threats of attacks on our domain for several
> days now, so we've been logging non-local ICMP with TCPdump.
>
> The call was processed by James Steven, who phoned me back
> at +64 6 356 3481.
>
> Here is a finger from charlie I was mailed from a friend who
> was at another site while I was being flooded off. This
> was done a few minutes into the attack.
>
> The timestamp on the finger's mail is NZST, which is GMT +12 hours
>
[...]
>
> When the attack began, I called Arron Scott of Waikato University
> in New Zealand, as the NZIX operator. He attempted to block the ICMP
> from charlie entering New Zealand and appeared sucessful for a few
> minutes (less than 4 minutes), after which the attack resumed.
>
> Arron's address is ar...@waikato.ac.nz
>
>
> Here is the beginning and ending of the attack. Timestamp
> is NZDT, which is GMT +13.
>
> "papaioea" is papaioea.manawatu.gen.nz (202.36.148.65)
>
> A parallel tcpdump using no nslookups confirmed charlie's
> IP as being 198.87.195.20
>
> My apologies for the delay in getting this mail to you, but the sheer
> size of the logfile (25Mb) killed my machine due to pico exhausting
> swap and ram.
>
> Regards
> Alan Brown, hostm...@manawatu.gen.nz, hostm...@manawatu.planet.org.nz
>
> ... [logs omitted]
>
So the little toad has managed to get up someone else's nose.
That someone would need to be mightily pissed off to actually start
this action against the toad's system.
Do we get to hear what caused the grudge?
dgd