[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
Rob Thomas
robt at cymru.com
Thu Jan 31 16:19:20 EST 2008
Hey, Nico!
Sorry to hear about the DDoS attack. :(
> It's hitting mainly 213.27.239.85 and for some time 213.27.136.168.
Are both IPs tied to www.berggi.com?
If so, we see some attacks from one botnet beginning on 2008-01-28
16:43:26.161362 UTC. It's a kitchen sink approach, with SYN floods
initially followed by HTTP GET floods.
The same crew fires up an impressive UDP flood to port 50 starting on
2008-01-27 18:50:49.239885 UTC. The kitchen sink continues in this
botnet as well, with all sorts of packet love coming from this botnet
- TCP SYN, HTTP GET, multiple packet/protocol attacks, etc.
Someone has a lot of hate to give.
The botnet is r00t.lammerz.com.ar, and at the time of the attacks
this was on 64.32.13.143 TCP 6667. The channels are at least
"#arnet#" and "#none" and "#%%#" (no quotes). Other fun (albeit
small at 3 clients) channels include:
*** #cracking 3 [+nt] Irc.ELCracker.Net #Cracking //
Accept Carding & Banking // Not Accept Rippers // Enjoy ! // Shellz
for Spam Or Upload Ur File ! -> http://www.vsm.gov.tr/pwnd/
shellz.txt <- Enjoy ! You Need SENDMAIL INBOX ?? -> +http://
www.vsm.gov.tr/pwnd/sender.txt <- Mailer inbox ssh Enjoy (N
The attack and possibly the ubiquitous null route are costing them bots.
*** Current Local Users: 97 Max: 1017
*** Current Global Users: 97 Max: 998
I've put a list of 141 probable bots at the bottom of this note.
If you'd like we can set the wayback machine for before 27 JAN 2008
and see if there are any other attacks or discourse.
Good luck, and let us know if there is anything we can do to help!
Thanks,
Rob.
>
> Mainly UDP, with top 5 sources (spoofed):
>
> 213.92.95.80
> 77.109.136.146
> 196.203.251.29
> 74.200.206.130
> 140.111.143.133
>
> Does anyone track a C&C that could be involved ? The botnet seems
> pretty large as it's coming in from all over the place.
>
> Malware welcome too, we've asked the customer to involve LE in Spain.
> (please pass this on to nsp-sec-leo if you are on it and some ES LE
> too).
>
> Feel free to blackhole the destination if you see large amount of
> traffic leaving your network.
>
> Thanks,
> Nico.
> --
> Nicolas FISCHBACH
> Senior Manager - Network Engineering/Security - COLT Telecom
> e:(nico at securite.org) w:<http://www.securite.org/nico/>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
1930 | 193.136.19.20 | 2008-01-14 13:06:30 | RCCN RCCN-NET
2108 | 161.53.202.3 | 2008-01-07 20:23:28 | CARNET-AS Croatian
Academic and Research Network
3221 | 193.40.0.77 | 2008-01-16 09:20:35 | EENet Autonomous
System
3265 | 82.94.200.40 | 2008-01-18 04:25:10 | XS4ALL-NL XS4ALL
3402 | 168.61.10.35 | 2008-01-31 02:25:47 | MAPS-2 - Mail
Abuse Prevention System LLC
3462 | 125.229.175.237 | 2008-01-25 06:05:39 | HINET Data
Communication Business Group
3462 | 125.229.177.144 | 2008-01-22 17:30:25 | HINET Data
Communication Business Group
3462 | 211.75.75.231 | 2008-01-27 00:30:19 | HINET Data
Communication Business Group
3462 | 220.128.138.106 | 2008-01-19 09:27:02 | HINET Data
Communication Business Group
3462 | 220.128.239.67 | 2008-01-23 02:37:12 | HINET Data
Communication Business Group
3462 | 220.132.97.183 | 2008-01-25 05:13:41 | HINET Data
Communication Business Group
3462 | 59.127.179.215 | 2008-01-15 00:28:29 | HINET Data
Communication Business Group
3462 | 61.221.141.45 | 2008-01-18 22:59:36 | HINET Data
Communication Business Group
3462 | 61.221.30.148 | 2008-01-27 02:52:05 | HINET Data
Communication Business Group
3462 | 61.222.167.228 | 2008-01-27 02:37:24 | HINET Data
Communication Business Group
4378 | 209.216.46.70 | 2008-01-31 18:10:52 | HOSTINGCOM -
Hosting.com, Inc.
4766 | 211.221.224.205 | 2008-01-17 03:16:10 | KIXS-AS-KR Korea
Telecom
4766 | 211.224.129.114 | 2008-01-24 04:19:45 | KIXS-AS-KR Korea
Telecom
4766 | 222.122.161.179 | 2008-01-27 13:29:56 | KIXS-AS-KR Korea
Telecom
5408 | 195.130.72.177 | 2008-01-26 00:57:06 | GR-NET Greek
Research and Technology Network
6130 | 209.216.205.186 | 2008-01-15 10:03:54 | ADN-WEST -
American Digital Network
6325 | 209.7.140.9 | 2008-01-25 19:56:01 | ILLINOIS-CENTURY -
Illinois Century Network
6325 | 66.99.221.234 | 2008-01-26 17:16:25 | ILLINOIS-CENTURY -
Illinois Century Network
6327 | 64.141.108.29 | 2008-01-14 17:27:18 | SHAW - Shaw
Communications Inc.
6461 | 216.195.49.90 | 2008-01-18 05:32:35 | MFNX MFN -
Metromedia Fiber Network
6471 | 164.77.208.122 | 2008-01-31 08:27:35 | ENTEL CHILE S.A.
6522 | 128.180.2.186 | 2008-01-31 01:13:42 | LEHIGH - Lehigh
University
6539 | 198.165.205.142 | 2008-01-17 07:27:25 | GT-BELL - Bell Canada
7132 | 68.252.139.193 | 2008-01-31 13:27:48 | SBIS-AS - AT&T
Internet Services
7132 | 75.33.104.153 | 2008-01-31 09:36:48 | SBIS-AS - AT&T
Internet Services
7385 | 208.186.168.55 | 2008-01-17 12:37:35 | INTEGRATELECOM -
Integra Telecom, Inc.
7497 | 220.113.41.29 | 2008-01-22 13:42:50 | CSTNET-AS-AP
Computer Network Information Center
8001 | 64.21.152.2 | 2008-01-27 13:37:42 | NET-ACCESS-CORP -
Net Access Corporation
8001 | 66.246.218.39 | 2008-01-16 23:19:56 | NET-ACCESS-CORP -
Net Access Corporation
8167 | 201.67.87.2 | 2008-01-30 17:44:09 | TELESC -
Telecomunicacoes de Santa Catarina SA
8248 | 194.63.237.7 | 2008-01-16 08:05:57 | GR-EDUNET Greek
High-School Internet Network (backbone and access)
8248 | 194.63.239.168 | 2008-01-14 06:27:58 | GR-EDUNET Greek
High-School Internet Network (backbone and access)
9120 | 212.97.132.103 | 2008-01-31 09:35:18 | COHAESIONET
Cohaesio A/S
9120 | 212.97.132.117 | 2008-01-31 07:31:20 | COHAESIONET
Cohaesio A/S
9269 | 61.238.69.63 | 2008-01-24 05:35:16 | CTIHK-AS-AP City
Telecom (H.K.) Ltd.
9768 | 210.96.22.186 | 2008-01-29 09:04:53 | PUBNET1-AS KT
9916 | 140.113.4.81 | 2008-01-17 19:11:36 | NCTU-TW National
Chiao Tung University,
9924 | 219.80.132.85 | 2008-01-24 05:34:15 | TFN-TW Taiwan
Fixed Network, Telco and Network Service Provider.
9924 | 219.80.146.60 | 2008-01-18 21:40:22 | TFN-TW Taiwan
Fixed Network, Telco and Network Service Provider.
9924 | 219.80.184.113 | 2008-01-22 16:29:13 | TFN-TW Taiwan
Fixed Network, Telco and Network Service Provider.
9924 | 219.81.197.75 | 2008-01-27 13:38:45 | TFN-TW Taiwan
Fixed Network, Telco and Network Service Provider.
9924 | 219.81.200.29 | 2008-01-29 11:36:57 | TFN-TW Taiwan
Fixed Network, Telco and Network Service Provider.
10532 | 64.49.216.180 | 2008-01-31 03:35:24 | RACKSPACE -
Rackspace.com, Ltd.
11320 | 64.22.192.49 | 2008-01-15 20:26:56 | LIGHTEDGE-AS-02 -
LightEdge Solutions
12306 | 213.83.63.219 | 2008-01-25 19:55:10 | Plus.Line AG IP-
Services
12876 | 195.154.77.64 | 2008-01-27 16:04:37 | AS12876 Telecom
Italia France
13749 | 207.44.162.116 | 2008-01-22 22:42:53 | EVERYONES-INTERNET
- Everyones Internet
13749 | 64.246.58.37 | 2008-01-15 09:34:55 | EVERYONES-INTERNET
- Everyones Internet
13749 | 66.98.226.4 | 2008-01-17 11:56:58 | EVERYONES-INTERNET
- Everyones Internet
13749 | 75.125.238.58 | 2008-01-22 23:31:23 | EVERYONES-INTERNET
- Everyones Internet
13768 | 72.51.37.149 | 2008-01-09 16:07:55 | PEER1 - Peer 1
Network Inc.
14361 | 66.235.184.53 | 2008-01-20 08:07:02 | HOPONE-GLOBAL -
HopOne Internet Corporation
14361 | 66.36.229.83 | 2008-01-27 19:23:57 | HOPONE-GLOBAL -
HopOne Internet Corporation
14361 | 66.36.240.5 | 2008-01-22 22:42:49 | HOPONE-GLOBAL -
HopOne Internet Corporation
14361 | 66.36.242.225 | 2008-01-25 19:55:06 | HOPONE-GLOBAL -
HopOne Internet Corporation
14383 | 69.65.106.24 | 2008-01-15 02:00:57 | DTGL-AS - Defender
Technologies Group, LLC
14779 | 67.28.112.161 | 2008-01-18 21:07:45 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.167 | 2008-01-31 10:29:56 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.179 | 2008-01-17 15:18:20 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.185 | 2008-01-31 18:14:31 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.186 | 2008-01-27 15:42:34 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.197 | 2008-01-25 17:19:30 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.204 | 2008-01-26 03:03:18 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.41 | 2008-01-15 00:19:25 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.46 | 2008-01-26 17:42:58 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.50 | 2008-01-31 03:52:18 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.112.51 | 2008-01-25 14:39:59 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.113.235 | 2008-01-25 04:25:37 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.113.237 | 2008-01-25 20:52:33 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.113.240 | 2008-01-21 21:01:17 | INKTOMI-LAWSON -
Inktomi Corporation
14779 | 67.28.113.245 | 2008-01-31 03:52:48 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.211 | 2008-01-27 19:29:46 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.216 | 2008-01-27 15:36:29 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.228 | 2008-01-26 17:39:07 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.230 | 2008-01-31 13:48:58 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.234 | 2008-01-25 21:23:17 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.236 | 2008-01-26 17:34:37 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.239 | 2008-01-16 22:39:39 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.242 | 2008-01-31 08:44:01 | INKTOMI-LAWSON -
Inktomi Corporation
14780 | 4.79.181.246 | 2008-01-22 22:34:36 | INKTOMI-LAWSON -
Inktomi Corporation
16805 | 64.62.162.166 | 2008-01-24 06:02:00 | FASTSERVERS -
FastServers, Inc.
16814 | 200.68.98.226 | 2008-01-31 15:11:02 | NSS S.A.
17896 | 222.169.33.222 | 2008-01-20 15:22:46 | CHINATELECOM-JL-AS-
AP asn for Jilin Provincial Net of CT
20021 | 76.12.21.207 | 2008-01-25 19:55:04 | LNH-INC - HostMySite
21533 | 216.219.89.15 | 2008-01-31 08:08:35 | TERREMARK -
Terremark Worldwide
21548 | 208.65.63.160 | 2008-01-27 10:36:03 | MTO - MTO Telecom
Inc.
23352 | 216.246.98.68 | 2008-01-22 10:31:27 | SERVERCENTRAL -
Server Central Network
23352 | 66.225.201.10 | 2008-01-17 13:52:05 | SERVERCENTRAL -
Server Central Network
23889 | 202.123.27.136 | 2008-01-27 09:54:27 | MAURITIUS-TELECOM-
AS-AP
24403 | 220.113.41.29 | 2008-01-22 13:42:50 | CNNIC-CNCITYNET-AP
Beijing Kuanjie Net communication technology Ltd
24673 | 80.79.132.243 | 2008-01-21 18:27:59 | FIRSTSERV-AS
Firstserv network.
25653 | 208.116.12.26 | 2008-01-19 22:07:12 | FORTRESSITX -
FortressITX
25653 | 65.98.120.201 | 2008-01-17 11:26:19 | FORTRESSITX -
FortressITX
25653 | 65.98.69.211 | 2008-01-12 19:30:28 | FORTRESSITX -
FortressITX
25653 | 69.72.161.50 | 2008-01-23 01:53:55 | FORTRESSITX -
FortressITX
25973 | 209.200.242.43 | 2008-01-27 13:22:14 | MZIMA - Mzima
Networks, Inc.
25973 | 209.200.255.149 | 2008-01-27 13:15:50 | MZIMA - Mzima
Networks, Inc.
25973 | 74.50.13.238 | 2008-01-27 13:14:51 | MZIMA - Mzima
Networks, Inc.
26228 | 64.151.120.14 | 2008-01-25 21:15:30 | SERVEPATH -
ServePath, LLC
26277 | 72.18.195.189 | 2008-01-31 15:11:51 | PREMIANET - A+
Hosting, Inc.
26627 | 69.31.80.186 | 2008-01-24 05:27:12 | AS-PILOSOFT -
Pilosoft, Inc.
26803 | 66.201.37.21 | 2008-01-25 20:50:57 | FIBERNOC - Fiber
Internet Center
27357 | 69.20.14.16 | 2008-01-15 01:01:02 | RACKSPACE -
Rackspace.com, Ltd.
27357 | 69.20.59.155 | 2008-01-15 01:13:09 | RACKSPACE -
Rackspace.com, Ltd.
27552 | 216.93.241.82 | 2008-01-22 09:46:16 | TWDXNET - TowardEX
Technologies International, Inc.
29212 | 212.85.15.145 | 2008-01-17 00:20:03 | SYNETRIX-AS
Synetrix Ltd.
29339 | 77.236.96.14 | 2008-01-24 09:47:30 | MBBG-AS Markus
Bach Betriebs Gesellschaft mbH
29449 | 82.143.10.177 | 2008-01-29 11:34:01 | TPN-AS TopneT
Telecomunicazioni S.r.L.
29551 | 193.254.203.115 | 2008-01-31 13:52:41 | HGCOMP-ASN HG
Computerservice
29671 | 77.232.66.106 | 2008-01-20 08:02:31 | SERVAGE Servage GmbH
29671 | 77.232.66.15 | 2008-01-24 04:53:31 | SERVAGE Servage GmbH
29671 | 77.232.66.165 | 2008-01-14 18:26:25 | SERVAGE Servage GmbH
29671 | 77.232.66.174 | 2008-01-29 11:43:59 | SERVAGE Servage GmbH
29671 | 77.232.66.198 | 2008-01-16 21:57:39 | SERVAGE Servage GmbH
29671 | 77.232.66.61 | 2008-01-24 05:27:00 | SERVAGE Servage GmbH
29671 | 77.232.68.137 | 2008-01-31 08:31:01 | SERVAGE Servage GmbH
29671 | 77.232.68.17 | 2008-01-16 22:57:24 | SERVAGE Servage GmbH
29671 | 77.232.68.175 | 2008-01-29 11:32:24 | SERVAGE Servage GmbH
29671 | 77.232.68.81 | 2008-01-15 01:44:31 | SERVAGE Servage GmbH
29671 | 77.232.80.10 | 2008-01-31 03:23:08 | SERVAGE Servage GmbH
30315 | 67.15.148.80 | 2008-01-17 00:47:36 | EVERYONES-
INTERNET2 - Everyones Internet
30315 | 67.15.70.4 | 2008-01-17 12:55:58 | EVERYONES-
INTERNET2 - Everyones Internet
30315 | 67.15.78.65 | 2008-01-27 13:36:44 | EVERYONES-
INTERNET2 - Everyones Internet
30315 | 67.15.94.26 | 2008-01-17 19:26:38 | EVERYONES-
INTERNET2 - Everyones Internet
32736 | 72.26.226.138 | 2008-01-17 11:48:49 | INFORTECH-001 -
Infortech Corporation
33070 | 72.32.187.62 | 2008-01-17 00:42:35 | RMH-14 -
Rackspace.com, Ltd.
33070 | 72.32.9.30 | 2008-01-14 23:45:12 | RMH-14 -
Rackspace.com, Ltd.
35228 | 78.86.220.180 | 2008-01-25 15:03:12 | BEUNLIMITED Avatar
Broadband Limited
35830 | 193.37.145.11 | 2008-01-31 08:15:52 | SIVIT-AS SIVIT
Network - http://www.sivit.net/
35830 | 194.146.224.115 | 2008-01-10 23:18:37 | SIVIT-AS SIVIT
Network - http://www.sivit.net/
35830 | 194.146.224.180 | 2008-01-31 04:44:40 | SIVIT-AS SIVIT
Network - http://www.sivit.net/
36351 | 74.86.122.194 | 2008-01-22 22:48:28 | SOFTLAYER -
SoftLayer Technologies Inc.
36351 | 75.126.195.62 | 2008-01-17 20:21:08 | SOFTLAYER -
SoftLayer Technologies Inc.
36420 | 209.62.63.82 | 2008-01-17 20:53:59 | EVERYONES-
INTERNET3 - Everyones Internet
36752 | 64.157.4.42 | 2008-01-31 12:17:19 | YAHOO-SP1 - Yahoo
41003 | 194.153.116.180 | 2008-01-24 05:47:06 | IP-INTERACTIVE IP-
Interactive Colocation / IP Transit Provider
More information about the nsp-security
mailing list