[nsp-sec] Attack agains 208.100.5.32 & 72.20.34.135
John Fraizer
john at op-sec.us
Sun Apr 6 22:54:55 EDT 2008
I had three hosts (three sites, three states, same customer) start
slamming 208.100.5.32 and 72.20.34.135 at 23:49:01 and 23:49:21 UTC
respectively.
The attacks were TCP SYN floods to port 80 with random (non-sequencial)
source ports and anywhere between 5 and 35 packets per flow.
I have ACL'd the attack but thus far, I can find no C&C action. I find it
way too coincidental that these three hosts would all spool up packet-luv
for two remote sites within 20 seconds of each other and that all three
hosts belong to the same master customer. Something has to have triggered
this.
Did anyone see an attack order given or have any other idea what I'm
dealing with here?
Thanks,
John
AS11456
More information about the nsp-security
mailing list