[nsp-sec] DSL Reports DDoS info - bot reports
Jose Nazario
jose at arbor.net
Thu Apr 10 23:00:06 EDT 2008
sharing this data with justin's permission. he heads DSL reports.
> the tcp botnet is http://docs.google.com/Doc?id=dpbj3qz_11722939fd
> and these were collected from 10am EST through now. I'm working
> on a file that includes exact timestamps for each IP in that file.
> The udp botnet is http://docs.google.com/Doc?id=dpbj3qz_12dwt2nvdb
> and they all were captured at the same instant, at 1:12pm, EST friday
> 10th april
and a third type of attack, an icmp attack, by different addresses. C&C:
202.71.106.56:80 (malaysia)
> http://docs.google.com/View?docid=dpbj3qz_13gfm7hqcr
> icmp attack ips - all april 10th 13:12 (us/eastern) -0400
> large fragmented icmp packets
Command URL http://ad.yandexshit.com/_admin/stat.php
Command Given
10;2000;10;1;0;30;100;3;20;1000;2000#flood icmp 209.123.109.175#15#
i've gone ahead and made a list of ASNs out of the attacks. the TCP attack
has slightly variant timestamps, so there's four columns (time is US
eastern for thursday april 10):
ASN | IP | Time (US Eastern) | Netname
44775 | 86.110.187.57 | 09:58:15 | ECOM-DON-AS ZAO ELECTRO-COM
DON
the udp and icmp attacks have a single timestamp (both at 13:12
(us/eastern) thursday april 10).
the files are up here:
http://monkey.org/~jose/private/dslr/
for the TCP and ICMP attacks, see the list archives; i sent out the C&C
(turns out the ICMP attacks are on the same CNC setup), you've got a
blackenergy infestation. for the UDP attacks i don't know yet.
hope this helps.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list