[nsp-sec] Attack agains 208.100.5.32 & 72.20.34.135
Jose Nazario
jose at arbor.net
Mon Apr 7 17:39:10 EDT 2008
On Mon, 7 Apr 2008, John Fraizer wrote:
> I had three hosts (three sites, three states, same customer) start
> slamming 208.100.5.32 and 72.20.34.135 at 23:49:01 and 23:49:21 UTC
> respectively.
> The attacks were TCP SYN floods to port 80 with random (non-sequencial)
> source ports and anywhere between 5 and 35 packets per flow.
> I have ACL'd the attack but thus far, I can find no C&C action. I find
> it way too coincidental that these three hosts would all spool up
> packet-luv for two remote sites within 20 seconds of each other and that
> all three hosts belong to the same master customer. Something has to
> have triggered this.
> Did anyone see an attack order given or have any other idea what I'm
> dealing with here?
here ya go (just back from a family weekend away)
First 2008-04-04 15:03:58
Timestamp 2008-04-04 18:34:00
C&C IP 89.149.240.181
C&C Hostname unknown.vectoral.info
C&C Port 80
C&C ASN 28753
C&C CC UK
C&C Channel #exp4
Command URL
Command Given
.syn
Target IP 72.20.34.135
Target Hostname
Target ASN 25761
Target CC US
not sure about your other IP, no attacks logged for that.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list