[nsp-sec-jp] UDP port 80 and ICMP DDoS mitigation requested
Taka Mizuguchi
taka @ ntt.net
2007年 11月 1日 (木) 08:09:27 EDT
NSP-SEC-JP�$B3F0L!"�(B
64.14.48.154�$B$KBP$9$k�(BDDoS�$B%"%?%C%/$N>pJs$,Mh$F$*$j$^$9!#�(B
�$BEv3:�(BISP�$B$K$*$$$F$O!"%A%'%C%/$r$*4j$$$7$^$9!#�(B
�$B$^$?!"JL$N%a!<%k$G$N�(BUNIX�$B%Y!<%9$N�(Bkaitan�$B$H$$$&�(Bbot�$B%D!<%k$N46 @ wJs9p$,�(B
�$BMh$F$$$^$9!#$4Cm0U$/$@$5$$!#�(B
http://packetstormsecurity.org/irc/kaiten.c
-----
64.14.48.154 / www.freelotto.com�$B$KBP$9$k�(BNon-spoofed�$B%"%?%C%/$NBP=h$r�(B
�$B$*4j$$$7$?!#�(BICMP�$B$H�(BUDP 80�$B$N%P!<%9%H%H%i%U%#%C%/$N$h$&$G$9!#�(B
�$B$3$l$i$N%H%i%U%#%C%/$O$[$H$s$I%4%_DxEY$G$9$,!"7+$jJV$7$N%Q%1%C%H$H�(B
.asp, .html and .htm�$B$KBP$9$k�(BGet�$B$r9T$C$F$$$^$9!#;DG0$J$,$i!"�(BFull Payload
�$B$O;}$C$F$$$J$$$N$G!"40A4$J2r @ O$O$G$-$^$;$s$,!"$3$l$i$O2DJQ%5%$%:$N�(B
�$B%Q%1%C%H$@$H;W$o$l$^$9!#�(B
�$B$3$l$i$O!"�(BUNIX�$B>e$GF0:n$9$k�(BPerl�$B%Y!<%9$N�(BFlooder�$B$h$&$G!"�(Btrace�$B$+$i�(B
non-spoofed�$B$@$H;W$o$l$^$9$,!"3N$+$G$O$"$j$^$;$s!#$3$l$i$N�(Bdestination
�$B$KBP$9$k%H%i%U%#%C%/%Q%?!<%s$K$4Cm0U$/$@$5$$!#�(B
----------- nsp-security Confidential --------
Hi folks,
I was asked to help mitigate what appears to be a non-spoofed attack
against 64.14.48.154 / www.freelotto.com. I have a small pcap and from
what I can tell it looks like some busted ICMP packets and UDP dport 80.
In all the packets I'm looking at it I see what looks like mostly
garbage, although there is some repeated payloads and some text strings
referencing GET, .asp, .html and .htm. Unfortunately I don't have the
full payload so I can't do a full analysis, but it looks like packets
are of varying sizes.
It looks like a handful of Perl-based flooders running on unix
hosts, non-spoofed from the trace, but it's hard to tell at this point.
The addresses I have that are suspect are below. Please take a look
at those or the described pattern above to the destination described
above.
Thank you,
John
4685 | 122.249.3.40 | ASAHI-NET Asahi Net
7671 | 203.211.192.236 | MCNET NTT SmartConnect Corporation
4713 | 218.47.158.147 | OCN NTT Communications Corporation
-----
Taka Mizuguchi
taka @ ntt.net
nsp-security-jp メーリングリストの案内