Mitigation actions from recent persistent attacks against a NERO customer

David Crowe, Jr. crowed at
Fri Apr 7 14:26:06 PDT 2006


With the damage caused by recent persistent and aggressive attacks
against one of the NERO customers I wanted to let you know what we've
found as soon as it was prudent and what mitigation efforts we've taken
to protect against future attacks.

After analyzing the network flow data we normally collect we have
identified, with a high degree of certainty, the source and nature of
these attacks and they were the same in all recent cases over the last 3
+ days.  The attack is against one single IP address as far as we can

The source IP address of the attacks was found to be within the
following address range:

We have also checked our data to see if we have any historical evidence
that this address range has had any interaction with any other NERO
customers and can find extremely minimal interaction over the past week
besides the attacks themselves.

With this information in hand we have placed filters on the NERO edge
interfaces to block all communications from this address range to the
NERO Network itself.  This block will stay in place while we work with
the hosting provider in question to stop any future attacks from

This is an extremely drastic step for us to take and we don't take it
lightly.  If you believe you or your organization will be impacted in a
negative way because of this block, please let us know the specifics and
we will work with you to restore access to the necessary addresses.  We
will also followup when we feel it is safe for us to remove this block
so you may be prepared and be aware.

While this will stop an attack from this specific source, Denial of
Service (DoS) attacks (whether distributed or not) can also move around
to new sources.  We will keep a close eye on any new sources and work to
continue fixing them if they occur.

Please don't hesitate to contact us if you have any questions or
concerns at the NERO NOC:

phone: 541.346.6476
email: noc at



David Crowe, Jr.                        Email:      crowed at
Director, NERO Network                  Phone:      541.346.1698
UO Computing Center                     FAX:        541.346.4397
1225 Kincaid                            Cell:       541.912.1198
Eugene, OR 97401                        GPG Key ID: 9DEDD126

Fingerprint: 4860 7B9E D68F E95F 49CC  D074 CE8F 9483 9DED D126

More information about the outages mailing list