Internet Lockout of certain sites ? !!

Don't know if the Sh*t is really about to hit the fan or what.

Could someone explain the following:

I have about 3 sites (which will remain nameless for right now) that I access on a regular basis. Basically nonmainstream news sites.

I have a BYTES SENT/RECIEVE monitor for my internet provider.

I can't access any of these sites and the BYTES SENT/RECIEVE monitor shows nothing sent or recieved.

Now I can think of only a couple of explainations which scare the crap out of me:

1) someone has a monitoring program in my computer and has already stolen much info....and is blocking these sites

2) A multripronged attack is occuring on the internet to prevent these sites from being accessed....

Anyone else have an another explaination?>?


Also...can we expect the Gov't or some other entity to do these types of service disruptions if war breaks out in IRAQ or some other catastrophe in the world takes place?

I'm glad at least TB2K isn't down so I can post this....i like to stay informed

I noticed the internet has been a little flakey and slow today and tonight. BTW, I'm on road runner.

Wow...same thing here with me too. Either Tom Ridges is flexing his new muscle or else the hackers are on overtime. Almost all of my stuff us down tonight too. Strange! We may have to resort to phones, snail mail and stone tablets if this keeps up.

Flakey from Seattle, even InternetTrafficReport.com is unreachable.
Tomshardware.com is there, AMDZone.com isn't, komotv.com isn't. Seems like the choke point is up around here somewhere?

Chap

Yes...

Some sites are down for me as well....

Kris

Yep, not only sites unavailable, but bandwith keeps getting choked out and I have to reconnect to get it back.
Someone needs to say it. Is this the beginning of the promised national hack attack by the unfriendlies?

Tras

I've noticed this as well.

Rumormill news is unavailable from my location for one.
Worldtribune.com as well.

Hmmm

F

The "other board" seems to be down as well....for a few seconds anyway...now they are back...nope, gone again.

Kris

same here.

i started having trouble around 1 pm EST (Friday) ~ glad i'm not the only one, I was getting ready to call my ISP (I have a DSL).

yahoo was even unreachable a few times for me - as was one of the sites I own.

ugh!

Same here, I was posting on the other forum and was shut down, then tryed some other sites, news and such and the same happened.
We may have a cyber attack going down, not of the "web war" type but of the for real terrorist type.

any more info??

ITR is down for me as well.

Kris

I have had 3 kelz viri in the last 24 hrs. Caught 'em with norton. I haven't had 3 viri in the last 6 months.

I aslo ran adaware and found 21 "files" that are now deleted.

Also caught a funny email that was sent from the west coast...

Being a non-nerd in computer and stuff, is there any other explanation for this, and has anything like this happened before that you all know of?

Rense.com is down. Whats' the backup board addy for this site .I was asleep that day.

The backup is at:

http://pub65.ezboard.com/ftimebomb200017873frm1

Anybody got the IP in case the DNS servers go out?

F

Me too. Can't get into SABC news out of S. Africa...was tracking an anthrax outbreak ref. out of googlenews.

I am getting about 6 hits/minute

Port 1434/UDP aka SQL Server

They are coming in from all over. If you manage a public sql server, I would be sure it was up to date and locked down.

The activity is bizarre in that ALL the hits are coming in on this port.

catphish

I'm getting the same plus 137 every minute or so continuous.

Ip's all over the map.

Good catch.

F

port 1434 here as well. Glad I stopped by, I was about to call my ISP and bitch

Sans Institute Internet Storm Center for port activity:

http://isc.sans.org/

Was wandering through and did some checking on some non mainstream news sites I visit as well. Some came up and some didn't. My daughter said earlier that she was having trouble getting just about everything. I thought maybe she just needed to disconnect and then reconnect or shutdown reboot. Really makes you wonder just what the h*** is going on.

Getting hammered myself:

202.123.20.213 139
202.123.20.213 137
81.27.97.175 1434
212.205.85.40 1434
218.64.240.99 1434
195.113.17.160 1434
131.247.94.210 1434
64.166.25.137 1434
67.64.112.125 137
209.142.130.84 139
209.142.130.84 137
61.107.100.100 1434
202.205.160.36 1434
211.233.83.15 1434
202.188.84.184 139
202.188.84.184 137
67.35.146.106 139
67.35.146.106 137
66.227.104.110 1434
150.101.94.1 1434
130.239.55.9 1434
209.214.90.105 139
202.54.133.133 139
209.214.90.105 137
202.54.133.133 137
216.17.92.114 1434
209.126.226.130 1434
64.210.163.32 1434
213.80.138.11 1080
64.124.64.20 1434
157.169.10.11 1434
65.31.50.24 139
65.31.50.24 137
193.205.191.29 1434
216.37.75.118 1434
63.81.24.66 1434
216.94.206.40 1434
66.117.19.229 1434
66.250.24.220 1434
130.94.96.247 1434
210.159.196.198 1434
152.160.252.250 1434
217.141.147.35 1434
192.117.232.140 1434
24.164.132.169 1434
211.233.63.219 1434
218.55.117.5 1434
202.39.25.213 1434
65.112.101.227 139
65.112.101.227 137
194.93.135.69 1434
128.210.159.19 1434
203.124.254.225 139
203.124.254.225 137
216.205.115.231 1434
63.209.100.126 1434
62.117.121.173 1434
66.28.228.142 1434
210.58.101.193 1434
152.160.43.242 1434
212.129.128.101 137
62.159.132.98 139
62.159.132.98 137
195.26.225.130 1434

The "eggs" are doin a lot of dingin and gongin too.

You can submit your firewall logs to Dshield here:

http://www.dshield.org/report.html

no registration required.

I've been here all day. (That's right, I don't got no life.) Could this be tied in with 'Warden alert' Washington sent out to all our embassies around the world?

Moscow????

130.152.180.21 3.798 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 198.172.117.161 9.119 ms ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
5 129.250.29.136 9.877 ms xe-1-0-0.r21.lsanca01.us.bb.verio.net [AS2914] Verio
6 129.250.2.187 11.205 ms p16-1-1-0.r21.snjsca04.us.bb.verio.net [AS2914] Verio
7 129.250.2.198 17.013 ms p16-1-1-2.r21.plalca01.us.bb.verio.net [AS2914] Verio
8 129.250.3.85 12.051 ms p16-1-0-0.r00.plalca01.us.bb.verio.net [AS2914] Verio
9 129.250.9.58 12.018 ms p4-0.cw.plalca01.us.bb.verio.net [AS2914] Verio
10 208.172.146.101 23.649 ms agr1-loopback.SantaClara.cw.net
11 208.172.156.165 14.612 ms dcr2-so-6-0-0.SantaClara.cw.net
12 166.63.194.62 178.117 ms bcr2.Frankfurt.cw.net
13 166.63.194.6 179.602 ms iar1.Frankfurt.cw.net
14 166.63.198.2 220.353 ms cable-and-wireless-internal-isp.Frankfurt.cw.net
15 213.152.128.129 213.166 ms fe0-1-0-r1-MSK-NIK.cwrussia.ru (DNS error) [AS12976] Russian Federation
16 213.152.129.122 214.585 ms comcor-gw.cwrussia.ru (DNS error) [AS12976] Russian Federation
17 212.45.0.19 214.587 ms gate3.comcor.ru (DNS error) [AS8732] Moscow
18 62.117.121.173 304.382 ms DNS error [AS8732] Moscow

Kris

I've got a couple from Frankfurt as well and several from around Chicago.

I've called a local managed service NOC and they said they were down. I gave them the ports and they started monitoring it as well. (you'ld think they would have noticed )

Yikes!

F

Hey gang, is this a dot,,,,,,,or just shit happens at times?

Appreciate an answer.

Timbo:

You never can tell about these things...

They have happened before.

They are happening now.

And it would appear to be somewhat "organized".

Kris

Yeah, Timbo. I wanna know if I should risk a little midnight shopping at the nearest food and ammo shops.

Timbo

There is a lot of traffic on those ports from all over.

It's odd that it would be at night for us if it was an attack of some sort. Maybe it's an attack on THEM and we're getting the fallout

It is definitely worth watching seeing as how it is so widespread.

F

P.S. Is there any body NOT on TB2K who is seeing this?
The local NOC's outage could be coincidental I suppose.

I am getting hit from:

Russia
China
Italy
Great Britian
Brazil
Korea

Among others...

Kris

I know you guys are mighty busy right now, but could somebody please explain to this old dinosaur what's going on?

Capslock50

It's hard to say what's really happening.
All we can see is that computers all over the world are trying to connect to each other on a couple of specific ports one for Netbios (that your pC uses for drive sharing) and one for Microsofts SQL server. Thes connections may be just for Denial Of Service or possible someother more nefarious purpose.

Here is a really technical article about what may be happening:
http://www.nextgenss.com/advisories/mssql-udp.txt

The interesting thing is the sources of the connections as Kris found they are all over and in some very interesting places.

Hmmm

F

Caplock, we are going through a hack attack. I saw a newsblurb yesterday warning of the possibility. The blurb said it would be from "them" but it just seemed to me that if the alphabet soup was issuing the warning, they would be the ones involved in the perpetration.

Nor does it make sense to me to launch a hack attack on the weekend when it will have little effect on business unless they intend to keep this up well into next week. If it stops before Monday, we will know the target was John Q. Public, recreational information surfers.

Since the initiation of Homeland Security, many of our favorite sites have been torn down and the FORBIDDEN page pops up. Much of the information could be retreived thorugh web archive sites and mirror sites. The last couple of weeks, the last of the really good sites were forbidden and we were unable to retreive them from any archives or mirror sites. When I see that Forbidden page, I kinda feel like "welcome to Red China."

Perhaps this is an attempt to close down the last of the real information. The only news sites I can access besides timebomb is lapdog media

As far as the technical stuff that is going on, I am a technodunce and cannot answer what is going on technically.

There is quite a thread on this event on Freepers too; but I believe that TB2K picked it up first.

Whitebird

FWIW, someone posted this forum link on the grc security site...

MASSIVE DDOS ATTACKS ALL OVER U.S.
--------------------------------------------------------------------------------
We are monitoring massive Distributed Denial of Service attacks all over the U.S. tonight starting at around 11:30 PM CST. As many as 5 of the 13 root nameserver have been down, up to 10 with massive packet loss (xx%):

Internet Status to Root Name Servers

Date: Fri Jan 24 21:37:00 PST 2003

Place Address Packet Loss Time: Min/Avg/Max

Root b.root-servers.net 53% 25/40/48
Root c.root-servers.net 0% 82/82/82
Root e.root-servers.net 20% 16/29/33
Root f.root-servers.net 26% 17/27/32
Root h.root-servers.net 20% 91/101/108
Root i.root-servers.net 26% 190/199/205
Root j.root-servers.net 26% 81/91/96
Root k.root-servers.net 64% 172/188/201
Root l.root-servers.net 0% 5/5/6
Root m.root-servers.net 33% 160/171/205
GTLD b.gtld-servers.net 26% 52/63/67
GTLD c.gtld-servers.net 31% 85/93/95
GTLD d.gtld-servers.net 13% 88/100/103
GTLD f.gtld-servers.net 22% 38/50/57
GTLD i.gtld-servers.net 0% 198/200/203
GTLD k.gtld-servers.net 24% 90/100/105
GTLD l.gtld-servers.net 33% 128/138/171


All backbone providers are suffering major packet loss (XX%):

Place Address Packet Loss Time: Min/Avg/Max
AboveNet ns.above.net 28% 53/64/66
AGIS ns1.agis.net 26% 62/74/78
AlohaNet nuhou.aloha.net 35% 84/94/98
ANS ns.ans.net 26% 83/97/100
BBN-NearNet nic.near.net 28% 91/114/572
BBN-BARRnet ns1.barrnet.net 26% 16/26/32
Best ns.best.com 35% 79/89/95
Concentric nameserver.concentric.net 35% 18/31/56
CW ns.cw.net 28% 88/98/105
DIGEX ns.digex.net 31% 78/86/91
ENTER.NET dns.enter.net 28% 91/104/108
Epoch Internet ns1.hlc.net 33% 37/48/52
Flash net ns1.flash.net 17% 80/92/94
GetNet ns1.getnet.com 20% 40/52/56
GlobalCrossing name.roc.gblx.net 24% 85/97/104
GoodNet ns1.good.net 31% 83/92/97
GridNet grid.net 20% 80/92/101
IDT Net ns.idt.net 20% 91/104/121
Internex nic1.internex.net 26% 18/31/35
MCI ns.mci.net 22% 91/103/107
MindSpring itchy.mindspring.net 15% 75/88/106
NAP.NET ns2.nap.net 20% 73/85/94
PacBell ns1.pbi.net 0% 89/89/90
Primenet dns1.primenet.net 20% 31/41/45
PSI ns.psi.net 0% 82/84/160
RAINet ns.rain.net 31% 40/49/53
SAVVIS ns1.savvis.net 31% 88/99/102
SprintLink ns1.sprintlink.net 11% 15/27/35
UUNet,AlterNet auth00.ns.uu.net 26% 89/98/103
Verio-West ns0.verio.net 22% 31/42/47
Verio-East ns1.verio.net 22% 86/96/101
VISInet ceylon.visinet.ca 20% 102/116/188
MoonGlobal-ClubNET ns.clubnet.net 0% 0/1/2
MoonGlobal-Netway dns.nwc.net 4% 6/6/7
MoonGlobal-Netxactics verdi.netxactics.com 4% 6/6/7
InterWorld ns.interworld.net 0% 4/4/5


It's massive, no word on source yet. We are watching it closely.

Brad G

American Intelligence

www.americanintelligence.us

http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=4551982416

no question you guys...

i'm stillhaving lots of difficulty with a number of sites...

and it's 4:45am...

manoman..things are getting sketchy...

o)<

mike

I put instructions on how to get around DNS problems during an attack at this link.

Look about half way down the thread...

http://www.timebomb2000.com/vb/showthread.php?s=&threadid=31566

Windows looks at the host file for the numbered ip address before it goes to the internet DNS servers, so if it finds it there, it will not look further. That's why this method speeds up your browsing by a half second or so.

You will have to get the ip numbers for any other sites that you want and type them in.

The only problem is that occasionally, ip numbers change and you have to modify the hosts file.

You can do find an ip number by opening a dos window and typing, for example, ping www.timebomb2000.com or tracert www.timebomb2000.com. The results include the ip number. Right now, you may have to try several times to get past the DNS server blockage and get the ip number.

This will get around the DNS attack, but I understand there is also a simultaneous Code Red attack against specific sites. Some may have shut down deliberately until it passes. Not sure yet if it is a new version of Code Red, or if the antivirus and antitrojan companies have reacted yet, but you better make sure your antivirus and antitrojan definitions are up to date.

I hope this helps.

John H

I changed my mind on asking the question.