[nsp-sec] DDoS possibly towards 212.224.127.14
Serge Droz
serge.droz at switch.ch
Fri Apr 11 11:11:56 EDT 2008
Hello all,
we are currently see large amounts of flows involving 212.224.127.14
It seems that some botnet sends spoofed packets with 212.224.127.14 as sender
address to various webservers, which then reply.
This produces rather large flows against webservers here (we see 14kflows/sec
into AS599)
Anyone see packets coming from 212.224.127.14:someport going to port someip:80?
According to the owner of this IP (explicit content on the server) they are
experiencing this attack since a few weeks. We only see the flows since
yesterday around 19:30 UTC
Any ideas on the botnet involved?
Serge
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
More information about the nsp-security
mailing list