[nsp-sec] contact at Turk Telekom ? botnet periodically attacking google.

Peter Moody pmoody at google.com
Fri Feb 29 22:24:54 EST 2008 

hey folks,

I just got this from one of our security engineers.  any help on this
would be greatly appreciated. Times are in pst.

A botnet of about 1500 IPs hit us on 2008-02-22 13:54-13:56.  Bots
were very simple, with only a Host: header.
A larger botnet (2000+ IPs) hit us on 2008-02-27 05:03-05:06.  Bots
were slightly more advanced... they had a User-Agent: header also.
A third attack (about 850 IPs) hit us on 2008-02-29 09:29-09:32.  Bots
now added a Referer: header to the mix.

Each attack was capable of sending more than 10,000 requests/second.
Nearly all hosts appear to be in Turk Telekom space.  It's slightly
strange that the botnet isn't more geographically diverse, but that's
not too uncommon.  Most disturbing is that they appear to be actively
improving their code, and these short attacks may be testing for a
larger attack from a more global botnet in the future.

Curiously, there was little overlap between the hosts in the three
attacks.  The first two only had 21 bots in common, the third had
none.  The IPs shared by the first two attacks were:

6830    | 62.178.212.8     | UPC UPC Broadband
6830    | 80.108.92.3      | UPC UPC Broadband
6830    | 80.109.74.11     | UPC UPC Broadband
9121    | 81.213.196.33    | TTNET TTnet Autonomous System
9121    | 85.104.3.47      | TTNET TTnet Autonomous System
9121    | 85.105.109.221   | TTNET TTnet Autonomous System
9121    | 85.105.2.102     | TTNET TTnet Autonomous System
9121    | 85.105.62.25     | TTNET TTnet Autonomous System
9121    | 85.110.170.188   | TTNET TTnet Autonomous System
9121    | 88.226.229.106   | TTNET TTnet Autonomous System
9121    | 88.227.190.187   | TTNET TTnet Autonomous System
9121    | 88.229.77.67     | TTNET TTnet Autonomous System
9121    | 88.230.200.217   | TTNET TTnet Autonomous System
9121    | 88.232.42.82     | TTNET TTnet Autonomous System
9121    | 88.241.174.251   | TTNET TTnet Autonomous System
9121    | 88.242.253.13    | TTNET TTnet Autonomous System
9121    | 88.248.248.208   | TTNET TTnet Autonomous System
9121    | 88.248.85.128    | TTNET TTnet Autonomous System
9121    | 88.249.31.104    | TTNET TTnet Autonomous System
9121    | 88.250.226.236   | TTNET TTnet Autonomous System
12322   | 82.244.179.64    | PROXAD AS for Proxad/Free ISP

Cheers,
.peter


-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list