[nsp-sec] UDP attack at 62.44.69.98 - looking for C&C

[Smith, Donald]

Steve, I looked at the Qwest ip you listed did not show up with a single
packet towards your victim based on my netflow for 4/22/08.

I also looked at traffic towards your victim's ip.
All of it was coming in from ONE physical interface on my network.
That is not the way a DDOS usually works:) Usually it comes from lots of
places and lots of input interfaces. So I believe this traffic is
spoofed possibly from a single source?

That traffic is consistently 1052 bytes in size and all aimed at 27910
that would be easy to block with a juniper firewall filter or anything
that can include protocol, ports and size in the filter.



>From the fingers of Steve Colam.
Hi,

A friend of mine has banned someone from his quake server
62.44.69.98 and now he's getting blatted with UDP love to his
server port (27910) from random src ports with variable payload
size.

Total volume is sub 100mb and he doesn't want to buy our anti-ddos
service :)

Any ideas on C&C / etc ?

Cheers,

Steve @ AS5413




-- 

Steve Colam
Head of Network Operations
Vialtus Solutions                         Mobile: +44 7971 534844
steve.colam at vialtus.com                   Direct: +44 1865 381592
PGP Key ID: 0x1C19D542                    http://www.vialtus.com/

---


209     | 65.102.202.4     |  20080422 2300-2310 | ASN-QWEST - Qwest
<SNIP>

> ----------- nsp-security Confidential --------
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.