[nsp-sec-jp] 1000 Drone attack, check for your ips here!

[Taka Mizuguchi]

NSP-SEC-JP$B3F0L!"(B

$B$A$g$C$H!"(BNSP-SEC$B$rDI$$$-$l$F5o$^$;$s$G$7$?!D(B

$B0J2<$N%[%9%H$,(BVirus/Worm$B$K46 ＠ w$7$F$$$k$H;W$o$l$^$9!#(B

10021   | 210.233.197.212  | KVH KVH Co.,Ltd


$BBg5,LO$J(BDDoS$B%"%?%C%/$,H/@8$7$F$*$j!"(Bblackholing$B$7$F$$$k$=$&$G$9!#(B
Filter$B$r$9$kI,MW$O$J$$$H8@$C$F$$$^$9$,!"46 ＠ w$7$F$$$k$H;W$o$l$^$9!#(B

$B%"%?%C%+!<$O!"(Bport80$BHV$K(BTCP-3 way$B%O%s%I%7%'%$%/$r9T$C$F%"%/%;%9$K(B
$B$-$^$9!#$=$7$F!"@5$7$$(B HTTP2 request$B%Q%1%C%H$rAw$j%U%!%$%k$r%@%&%s(B
$B%m!<%I$7$h$&$H$9$k$h$&$G$9!#$=$l$K$h$j!"?t(BGbps$B$N%H%i%U%#%C%/$,H/@8(B
$B$9$k62$m$7$$(Bbotnet$B$@$H$$$&$3$H$G$9!#(B

$B3NG'$r8f4j$$$7$^$9!#(B


Forwarded by Taka Mizuguchi <taka ＠ ntt.net>
----------- nsp-security Confidential --------

Hello all,

As usual when we get large DoS attacks, we are able to filter/absorb  
internally just fine, so please do not filter this attack on your  
networks, we don't want to be partially blackholed.

This list is provided so you can look on your networks to find hosts  
infected with drones.

These attackers were completing full TCP 3-way handshakes to port 80,  
and sending valid HTTP requests to download files, using up thousands  
of sockets and about several Gbps of bandwidth, so a fairly scary  
botnet.

Hopefully someone with one of these drones on their network can look  
for the control node...

Cheers and Happy Thanksgiving,


The full list of attackers is:
AS      | IP               | AS Name
10021   | 210.233.197.212  | KVH KVH Co.,Ltd



-----
Taka Mizuguchi
taka ＠ ntt.net