[nsp-sec] UDP DDoS Attack against 80.65.160.10 (AS21196) - not spoofed
Nicholas Ianelli
ni at cert.org
Sun Apr 6 23:17:19 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Team,
If you recall an email I sent on 2008.03.07 with the Subject:
UDP based DDoS attack against 80.65.160.10 (AS21196)
Tim and Rob came back with the following:
At least some of the attacks were launched from a combination Windows
and Unix botnet. The botnet is located on the #rlz channel on
64.32.10.177 TCP 6667. We see 37 bots on the attack channel presently.
The miscreant or crew is labeled as "jebac" (no quotes). We don't
generally bots of different OS combined in one channel, so this is
fairly rare:
#rlz [A]UDP48264971 H
~UDP572351 at UDPLink-CFECB7CA.operating-networks.de (Linux
operatingcust01.operating-networks.de 2.4.21)
#rlz [C]UDP37410253 H ~UDP929979 at UDPLink-8009F69E.skypoint.net
(FreeBSD matthew.skypoint.net 4.5-RELEASE FreeBSD 4)
#rlz [A]UDP46308402 H ~UDP647385 at 67D107C.4C4F7FB1.4A809331.IP
(Windows NT LAB223SERVER 5.2 build 3790)
#rlz [A]UDP82437591 H ~UDP911187 at 76395417.B3290689.E4654BAC.IP
(SunOS omega 5.8 Generic_108528-24 sun4u)
[ ... ]
Some of the attack commands are listed here. All dates and times are
UTC/GMT.
2008-03-07 09:12:59 [#rlz] <A> .udpflood 80.65.160.10 65000 120
2008-03-07 09:23:12 [#rlz] <A> .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:22 [#rlz] <A> .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:24 [#rlz] <A> .udpflood 80.65.160.10 999999 20
- ---------------------
Not sure if the botnet still resides at the above, but the DDoS (with
corresponding blackmail email is back - gmail addy). Details are as follows:
First flow started at: 2008-Apr-03 22:13:39
Last flow finished at: 2008-Apr-03 22:54:31
Timestamps are +2 GMT
4230 | 200.253.14.109 | Embratel
4766 | 203.252.210.100 | KIXS-AS-KR Korea Telecom
4766 | 61.80.90.1 | KIXS-AS-KR Korea Telecom
4780 | 203.70.225.193 | SEEDNET Digital United Inc.
5408 | 195.130.72.177 | GR-NET Greek Research & Technology Network
9318 | 121.124.127.21 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.202.2.69 | HANARO-AS Hanaro Telecom Inc.
9628 | 134.75.217.6 | SSEM-AS-KR Seoul Education Science Research
Institute
9848 | 61.109.245.31 | GNGAS Enterprise Networks
9903 | 203.158.98.31 | RIT-AS-AP Rajamangala Institute of Technology
12695 | 213.248.57.165 | DINET-AS Digital Network JSC
13749 | 66.98.140.99 | ASN-THEPLANET-2 - ThePlanet.com Internet
Services, Inc.
18866 | 69.50.210.217 | ATJEU - Atjeu Publishing LLC
21844 | 74.53.152.100 | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
23352 | 205.234.129.138 | SERVERCENTRAL - Server Central Network
24446 | 202.124.245.10 | NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
25973 | 203.22.204.188 | MZIMA - Mzima Networks, Inc.
26496 | 208.109.24.184 | PAH-INC - GoDaddy.com, Inc.
30315 | 66.98.246.62 | ASN-THEPLANET-3 - ThePlanet.com Internet
Services, Inc.
31103 | 84.19.178.201 | KEYWEB-AS Keyweb AG
31849 | 69.90.114.126 | GOWEBMAN - GoWebman Corporation Network
https://asn.cymru.com/nsp-sec/upload/1207538019.whois.txt
First flow started at: 2008-Apr-03 22:13:39
Last flow finished at: 2008-Apr-03 22:54:31
Total transfered: 12Mpackets 15Gbytes 1Mflows
Source Address Port Destination address Port Proto Pkts Bytes
Flows
===============================================================================
61.80.90.1 clnt 80.65.160.66 clnt udp 1M 1G
1
84.19.178.201 clnt 80.65.160.66 clnt udp 1M 1G
1
203.252.210.100 clnt 80.65.160.66 clnt udp 977K 1G
1
74.53.152.100 clnt 80.65.160.66 clnt udp 1M 1G
1
203.158.98.31 clnt 80.65.160.66 clnt udp 1M 1G
1
69.90.114.126 clnt 80.65.160.66 clnt udp 1M 1G
1
205.234.129.138 clnt 80.65.160.66 clnt udp 1M 1G
1
66.98.140.99 clnt 80.65.160.66 clnt udp 804K 907M
1
61.109.245.31 clnt 80.65.160.66 clnt udp 821K 882M
1
195.130.72.177 clnt 80.65.160.66 clnt udp 513K 559M
1
66.98.246.62 clnt 80.65.160.66 clnt udp 391K 438M
1
208.109.24.184 clnt 80.65.160.66 clnt udp 253K 322M
1
121.124.127.21 clnt 80.65.160.66 clnt udp 128K 145M
1
211.202.2.69 clnt 80.65.160.66 clnt udp 98K 117M
2
203.22.204.188 clnt 80.65.160.66 clnt udp 51K 64M
1
69.50.210.217 clnt 80.65.160.66 clnt udp 43K 46M
1
202.124.245.10 clnt 80.65.160.66 clnt udp 33K 44M
1
213.248.57.165 clnt 80.65.160.66 clnt udp 39K 43M
1
200.253.14.109 clnt 80.65.160.66 clnt udp 27K 32M
1
134.75.217.6 clnt 80.65.160.66 clnt udp 10K 11M
2
203.70.225.193 clnt 80.65.160.66 clnt udp 2K 3M
1
213.248.57.165 clnt 80.65.160.66 53 udp 843 1M
649
213.248.57.165 clnt 80.65.160.66 123 udp 81 118K
66
211.202.2.69 clnt 80.65.160.66 579 udp 67 98K
66
211.202.2.69 clnt 80.65.160.66 11 udp 67 98K
60
211.202.2.69 clnt 80.65.160.66 258 udp 65 95K
62
211.202.2.69 clnt 80.65.160.66 763 udp 64 93K
61
211.202.2.69 clnt 80.65.160.66 483 udp 63 92K
61
211.202.2.69 clnt 80.65.160.66 45 udp 61 89K
59
211.202.2.69 clnt 80.65.160.66 876 udp 61 89K
58
211.202.2.69 clnt 80.65.160.66 319 udp 60 87K
59
211.202.2.69 clnt 80.65.160.66 681 udp 60 87K
58
211.202.2.69 clnt 80.65.160.66 516 udp 60 87K
56
211.202.2.69 clnt 80.65.160.66 941 udp 60 87K
58
211.202.2.69 clnt 80.65.160.66 315 udp 59 86K
57
211.202.2.69 clnt 80.65.160.66 236 udp 58 84K
57
211.202.2.69 clnt 80.65.160.66 927 udp 58 84K
55
211.202.2.69 clnt 80.65.160.66 277 udp 58 84K
54
211.202.2.69 clnt 80.65.160.66 136 udp 58 84K
54
211.202.2.69 clnt 80.65.160.66 72 udp 58 84K
55
211.202.2.69 clnt 80.65.160.66 813 udp 58 84K
55
211.202.2.69 clnt 80.65.160.66 20 udp 57 83K
55
211.202.2.69 clnt 80.65.160.66 384 udp 57 83K
55
211.202.2.69 clnt 80.65.160.66 392 udp 57 83K
54
211.202.2.69 clnt 80.65.160.66 175 udp 57 83K
56
211.202.2.69 clnt 80.65.160.66 438 udp 57 83K
51
211.202.2.69 clnt 80.65.160.66 979 udp 57 83K
56
211.202.2.69 clnt 80.65.160.66 27 udp 57 83K
57
211.202.2.69 clnt 80.65.160.66 888 udp 57 83K
55
211.202.2.69 clnt 80.65.160.66 953 udp 57 83K
55
- -------------------------
First flow started at: 2008-Apr-05 10:26:31
Last flow finished at: 2008-Apr-05 10:49:55
Total transfered: 2Mpackets 3Gbytes 1Mflows
Source Address Port Destination address Port Proto Pkts Bytes
Flows
===============================================================================
200.253.14.109 clnt 80.65.160.66 clnt udp 102K 138M
2
202.124.245.10 clnt 80.65.160.66 972 udp 459 672K
243
4230 | 200.253.14.109 | Embratel
24446 | 202.124.245.10 | NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFH+ZI/i10dJIBjZIARCGr0AKC6AIBxuFRwb8kjj1Ak+WHL1h9H5QCfU1Wf
yM4iuQAamC7Zk4RewMxwe2c=
=3Adc
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list