[nsp-sec-jp] Metasploit DDoS IP -> ASN mappings
Taka Mizuguchi
taka @ nttv6.jp
2009年 2月 9日 (月) 11:20:21 EST
NSP-SEC-JP�$B$N3'MM�(B
�$B$3$N=5Kv$K!"�(Bmetasplot/milw0rm/packetstorm�$B967b$H$7$F3hF0$7$F$$$?�(BC&C�$B$N�(B
�$B>pJs$K$J$j$^$9!#�(B
-----
4721 | 118.86.128.202 | JAPAN CABLENET LIMITED
10010 | 220.216.98.244 | JPNIC-NET-JP-AS-BLOCK Japan Network Information Center
-----
�$B$3$l$,�(Bmetasploit.com�$B$X$N967b$N?t==K|$N�(BIP�$B$K$J$j$^$9!#�(B
TCP SYN�$B!!�(BFlood�$B$H�(BHTTP GET�$B!!�(BFlood�$B$N%3%s%S%M!<%7%g%s$K$J$j$^$9!#�(B
1234118825.933552 IP (tos 0x0, ttl 107, id 48323, offset 0, flags [DF],
proto TCP (6), length 48) 79.132.127.6.2055 > 66.240.213.81.80: S, cksum
0x6f92 (correct), 149691282:149691282(0) win 65535 <mss 1440,nop,nop,sackOK>
1234118825.933570 IP (tos 0x0, ttl 105, id 12221, offset 0, flags [DF],
proto TCP (6), length 48) 80.48.33.21.1595 > 66.240.213.81.80: S, cksum
0x41a0 (correct), 853442946:853442946(0) win 64800 <mss 1440,nop,nop,sackOK>
1234118825.933576 IP (tos 0x0, ttl 103, id 65138, offset 0, flags [DF],
proto TCP (6), length 48) 88.249.217.249.2739 > 66.240.213.81.80: S, cksum
0x0e09 (correct), 1213978251:1213978251(0) win 65535 <mss
1452,nop,nop,sackOK>
1234118825.934302 IP (tos 0x0, ttl 105, id 48015, offset 0, flags [DF],
proto TCP (6), length 48) 85.105.116.193.3296 > 66.240.213.81.80: S, cksum
0xeba4 (correct), 891253447:891253447(0) win 65535 <mss 1452,nop,nop,sackOK>
�$B$43NG'$r$*4j$$CW$7$^$9!#�(B
Forwarded by Taka Mizuguchi <taka @ nttv6.jp>
----------------------- Original Message -----------------------
----------- nsp-security Confidential --------
Actively seeking C&C info on this weekend's metasplot/milw0rm/packetstorm
attacks.
Here's a few hundred of the thousands of IPs attacking metasploit.com.
Combined TCP SYN flood and HTTP GET floods. Things look like this:
1234118825.933552 IP (tos 0x0, ttl 107, id 48323, offset 0, flags [DF],
proto TCP (6), length 48) 79.132.127.6.2055 > 66.240.213.81.80: S, cksum
0x6f92 (correct), 149691282:149691282(0) win 65535 <mss 1440,nop,nop,sackOK>
1234118825.933570 IP (tos 0x0, ttl 105, id 12221, offset 0, flags [DF],
proto TCP (6), length 48) 80.48.33.21.1595 > 66.240.213.81.80: S, cksum
0x41a0 (correct), 853442946:853442946(0) win 64800 <mss 1440,nop,nop,sackOK>
1234118825.933576 IP (tos 0x0, ttl 103, id 65138, offset 0, flags [DF],
proto TCP (6), length 48) 88.249.217.249.2739 > 66.240.213.81.80: S, cksum
0x0e09 (correct), 1213978251:1213978251(0) win 65535 <mss
1452,nop,nop,sackOK>
1234118825.934302 IP (tos 0x0, ttl 105, id 48015, offset 0, flags [DF],
proto TCP (6), length 48) 85.105.116.193.3296 > 66.240.213.81.80: S, cksum
0xeba4 (correct), 891253447:891253447(0) win 65535 <mss 1452,nop,nop,sackOK>
No timestamps but everything is within a few seconds of each other.
Timestamps in UTC.
Top 10 ASNs by bot count:
333 9121 TTNET TTnet Autonomous System
50 5617 TPNET Polish Telecom_s commercial IP network
24 9050 RTD RTD-ROMTELECOM Autonomous System Number
19 8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System
15 20771 CAUCASUS-CABLE-SYSTEM CCS Autonomous System
13 8708 RDSNET RCS & RDS S.A.
12 12978 DOGAN-ONLINE Dogan Iletisim Elektronik Servis Hizmetleri AS
8 6746 ASTRAL ASTRAL Telecom SA, Romania
7 9198 KAZTELECOM-AS Kazakhtelecom Corporate Sales Administration
7 25019 SAUDINETSTC-AS Autonomus System Number for SaudiNet
I have no C&C logs at this point, actively seeking.
Thank you.
--
Taka Mizuguchi <taka @ nttv6.jp>
nsp-security-jp メーリングリストの案内