[nsp-sec] Busy ddos net: 193.202.63.119 ASN 8885 - HU

Campisano, Mario Mario.Campisano at Level3.com
Mon Feb 11 10:03:56 EST 2008 

Jose,

     This IP appears to be downstream of one of our customer's interfaces.  I will contact them for assistance.

Thank you,
Mario Campisano
Manager
IPD&S Network Security Lead Support/
Network Security Services
Level 3 Communications, LLC
abuse at level3.com
securityoperations at level3.com

------------------------------------------------------------------------------------

CONFIDENTIALITY NOTICE:
THE INFORMATION CONTAINED IN THIS MESSAGE MAY BE ATTORNEY PRIVILEGED AND CONFIDENTIAL INFORMATION INTENDED ONLY FOR THE USE OF THE INDIVIDUALS OR ENTITIES NAMED ABOVE. IF THE READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERY OF IT TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU RECEIVED THIS COMMUNICATION IN ERROR, PLEASE IMMEDIATELY NOTIFY ME BY TELEPHONE OR E-MAIL, AND DESTROY THIS MESSAGE. THANK YOU.


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of jose nazario
> Sent: Monday, February 11, 2008 9:42 AM
> To: nsp-security NSP
> Subject: [nsp-sec] Busy ddos net: 193.202.63.119 ASN 8885 - HU
>
> ----------- nsp-security Confidential --------
>
> Here's an hour of their DDoS activity:
>
> 1202735775/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//157.157
> .124.112/157.157.124.112/IS/6677/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 157.157.124.112 21 1000 -s
> 1202735780/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//157.157
> .124.112/157.157.124.112/IS/6677/anis!maja at fbi.gov/ARBOR/ .ddos.syn
> 157.157.124.112 21 1000 -s
> 1202737100/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//82.192.
> 47.134/82.192.47.134/SI/12644/anis!maja at fbi.gov/ARBOR/ .ddos.syn
> 82.192.47.134 21 700 -s
> 1202737104/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//82.192.
> 47.134/82.192.47.134/SI/12644/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 82.192.47.134 21 700 -s
> 1202737154/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//91.185.
> 200.146/91.185.200.146/SI/41828/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 91.185.200.146 21 700 -s
> 1202737158/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//91.185.
> 200.146/91.185.200.146/SI/41828/anis!maja at fbi.gov/ARBOR/ .ddos.syn
> 91.185.200.146 21 700 -s
> 1202737909/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//81.69.1
> 91.83/81.69.191.83/NL/5390/anis!maja at fbi.gov/ARBOR/ .ddos.udp 81.69.191.83
> 21 700 -s
> 1202737925/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//90.230.
> 22.236/90.230.22.236/SE/3301/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 90.230.22.236 21 700 -s
> 1202737940/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//81.236.
> 212.127/81.236.212.127/SE/3301/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 81.236.212.127 21 700 -s
> 1202737963/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//81.69.1
> 59.31/81.69.159.31/NL/5390/anis!maja at fbi.gov/ARBOR/ .ddos.udp 81.69.159.31
> 21 700 -s
> 1202737980/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//81.69.1
> 68.14/81.69.168.14/NL/5390/anis!maja at fbi.gov/ARBOR/ .ddos.udp 81.69.168.14
> 21 700 -s
> 1202737998/irc.swpower-
> team.net/193.202.63.119/8885/HU/43937/#army#//90.21.1
> 64.167/90.21.164.167/FR/3215/anis!maja at fbi.gov/ARBOR/ .ddos.udp
> 90.21.164.167 21 700 -s
>
> That botnet is controlled here:
>
> host: irc.swpower-team.net
> IP: 193.202.63.119
> Port 8885
>
> Targets include:
>
> AS      | IP               | AS Name
> 41828   | 91.185.200.146   | TUSMOBIL TUSMOBIL - core network
> 12644   | 82.192.47.134    | TELEMACH Telemach Autonomous System
> 6677    | 157.157.124.112  | ICENET-AS1 *********************************
> 5390    | 81.69.168.14     | EURONET Orange Nederland B.V. Global AS
> 3215    | 90.21.164.167    | AS3215 France Telecom - Orange
> 5390    | 81.69.168.14     | EURONET Orange Nederland B.V. Global AS
> 3301    | 81.236.212.127   | TELIANET-SWEDEN TeliaNet Sweden
>
>
> Anyone with any pull in Hungary?
>
>
> -------------------------------------------------------------
> jose nazario, ph.d.  <jose at arbor.net>
> security researcher, office of the CTO
> Arbor Networks
> v: (734) 821 1427
> PGP: 0x40A7BF94
> www.arbornetworks.com
> -------------------------------------------------------------
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list