DoS?

Giganews Newsgroups
Subject: DoS?
Posted by:  mu…@jaguarot.com
Date: 10 May 2007

First post here.

I've attached a snippet from my Kiwi Syslog from a customer's server.
Take a look at the times any you'll see I'm getting bombarded with
SMTP -- over 40 in half a minute, but sometimes as many as fifteen a
second -- from IP addresses in the 72.34.1xx.xxx range. I've Googled
some of them at random and the only connection is that they are all
from the same ISP in Texas. I first noticed the problem when the
Exchange server crashed. I blocked the ISP entire block at the router,
but obviously this volume of traffic is still affecting things.

Does anyone have an idea where to start with this? Any help will be
much appreciated.

Thanks,

Mark

05-10-2007    11:47:11    Local0.Warning    192.168.0.1    IP: Packet discarded
from 63.170.10.91 port 60668 to xxx.xxx.xxx.xxx port 25 (TCP)
(incorrect state) @2007-05-10-12:47:12
05-10-2007    11:47:11    Local0.Warning    192.168.0.1    IP: entry duplicated 3
times @2007-05-10-12:47:10
05-10-2007    11:47:09    Local0.Warning    192.168.0.1    IP: Packet discarded
from 63.170.10.91 port 60679 to xxx.xxx.xxx.xxx port 25 (TCP)
(incorrect state) @2007-05-10-12:47:10
05-10-2007    11:47:09    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.174.68 port 51646 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:10
05-10-2007    11:47:08    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:08    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:07    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:07    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:07    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:07    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:07    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:09
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:05    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:06
05-10-2007    11:47:01    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:47:03
05-10-2007    11:46:57    Local0.Info    192.168.0.1    IP: Packet allowed from
130.13.100.122 port 2492 to xxx.xxx.xxx.xxx port 443 (TCP)(allow by
HTTPS) @2007-05-10-12:46:59
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.166.70 port 42172 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.163.240 port 41907 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.169.108 port 50974 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.166.133 port 50915 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.169.202 port 42518 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.223 port 42407 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.168.178 port 42107 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 219.148.119.6 port 6000 to xxx.xxx.xxx.xxx port 7212 (TCP)(no NAT
port) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.167.199 port 50697 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.162.151 port 41557 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:52    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.164.35 port 41449 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:54
05-10-2007    11:46:51    Local0.Info    192.168.0.1    IP: Packet allowed from
63.170.10.91 port 60995 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by
SMTP) @2007-05-10-12:46:53
05-10-2007    11:46:50    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.175.8 port 48881 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:51
05-10-2007    11:46:49    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:51
05-10-2007    11:46:49    Local0.Warning    192.168.0.1    IP: Packet discarded
from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound
rule) @2007-05-10-12:46:50
05-10-2007    11:46:45    Local0.Info    192.168.0.1    IP: Packet allowed from
63.170.10.91 port 60820 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by
SMTP) @2007-05-10-12:46:47
05-10-2007    11:46:45    Local0.Info    192.168.0.1    IP: Packet allowed from
63.170.10.91 port 60819 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by
SMTP) @2007-05-10-12:46:47
05-10-2007    11:46:44    Local0.Info    192.168.0.1    IP: Packet allowed from
63.170.10.91 port 60779 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by
SMTP) @2007-05-10-12:46:45
05-10-2007    11:46:44    Local0.Warning    192.168.0.1    IP: Packet discarded
from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard
rule) @2007-05-10-12:46:45
05-10-2007    11:46:43    Local0.Warning    192.168.0.1    IP: Packet discarded
from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound
rule) @2007-05-10-12:46:44

Replies