[nsp-sec] UDP attack at 62.44.69.98 - looking for C&C

Steve Colam steve.colam at gxn.net
Wed Apr 23 18:17:44 EDT 2008 

On Wed, 23 Apr 2008, Smith, Donald wrote:

> Steve, I looked at the Qwest ip you listed did not show up with a single
> packet towards your victim based on my netflow for 4/22/08.
>
> I also looked at traffic towards your victim's ip.
> All of it was coming in from ONE physical interface on my network.
> That is not the way a DDOS usually works:) Usually it comes from lots of
> places and lots of input interfaces. So I believe this traffic is
> spoofed possibly from a single source?

I'm not so sure, I think it is likely spoofed, but definately
not from a single source, we can see it distrubuted 
across our ingress ports.

> That traffic is consistently 1052 bytes in size and all aimed at 27910
> that would be easy to block with a juniper firewall filter or anything
> that can include protocol, ports and size in the filter.

The packet size varies to be either 1052, 2104 or 3156.

The dos traffic isn't a problem as such, but we are interested
in tracking down the C&C, as no doubt it will be up to other
badness, and a quake server can live in all it's glory again.

Tx,

Steve


> From the fingers of Steve Colam.
> Hi,
>
> A friend of mine has banned someone from his quake server
> 62.44.69.98 and now he's getting blatted with UDP love to his
> server port (27910) from random src ports with variable payload
> size.
>
> Total volume is sub 100mb and he doesn't want to buy our anti-ddos
> service :)
>
> Any ideas on C&C / etc ?
>
> Cheers,
>
> Steve @ AS5413
>
>
>
>
> -- 
>
> Steve Colam
> Head of Network Operations
> Vialtus Solutions                         Mobile: +44 7971 534844
> steve.colam at vialtus.com                   Direct: +44 1865 381592
> PGP Key ID: 0x1C19D542                    http://www.vialtus.com/
>
> ---
>
>
> 209     | 65.102.202.4     |  20080422 2300-2310 | ASN-QWEST - Qwest
> <SNIP>
>
>> ----------- nsp-security Confidential --------
>>
>>
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>

More information about the nsp-security mailing list