[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
Nicolas FISCHBACH
nicolist at securite.org
Thu Jan 31 16:41:01 EST 2008
Rob Thomas wrote:
>
> Hey, Nico!
Hey,
> Sorry to hear about the DDoS attack. :(
Well, I hadn't since such a large and long lasting in a long time. It
was getting boring ;-))
>> It's hitting mainly 213.27.239.85 and for some time 213.27.136.168.
>
> Are both IPs tied to www.berggi.com?
Yes, the customer has the following ranges (and got hit on all 3):
213.27.150.168/29
213.27.239.80/28
213.27.146.180/30
> If so, we see some attacks from one botnet beginning on 2008-01-28
> 16:43:26.161362 UTC. It's a kitchen sink approach, with SYN floods
> initially followed by HTTP GET floods.
Yep, but this one was easily mitigated.
> The same crew fires up an impressive UDP flood to port 50 starting on
> 2008-01-27 18:50:49.239885 UTC. The kitchen sink continues in this
> botnet as well, with all sorts of packet love coming from this botnet
> - TCP SYN, HTTP GET, multiple packet/protocol attacks, etc.
>
> Someone has a lot of hate to give.
Agreed. Wondering if someone is pissed off due to a bill because he
downloaded too many ring tones or if a competitor is trying to shut
them down and kill their business.
> The botnet is r00t.lammerz.com.ar, and at the time of the attacks
> this was on 64.32.13.143 TCP 6667. The channels are at least
> "#arnet#" and "#none" and "#%%#" (no quotes). Other fun (albeit
> small at 3 clients) channels include:
>
> *** #cracking 3 [+nt] Irc.ELCracker.Net #Cracking //
> Accept Carding & Banking // Not Accept Rippers // Enjoy ! // Shellz
> for Spam Or Upload Ur File ! -> http://www.vsm.gov.tr/pwnd/
> shellz.txt <- Enjoy ! You Need SENDMAIL INBOX ?? -> +http://
> www.vsm.gov.tr/pwnd/sender.txt <- Mailer inbox ssh Enjoy (N
>
> The attack and possibly the ubiquitous null route are costing them bots.
>
> *** Current Local Users: 97 Max: 1017
> *** Current Global Users: 97 Max: 998
>
> I've put a list of 141 probable bots at the bottom of this note.
Thanks. Can the people with bots on the list try to get a copy of the
malware ?
> If you'd like we can set the wayback machine for before 27 JAN 2008
> and see if there are any other attacks or discourse.
We only saw attacks this week so far, nothing in PFSP for the weeks
before.
> Good luck, and let us know if there is anything we can do to help!
Thanks,
Nico.
--
Nicolas FISCHBACH
Senior Manager - Network Engineering/Security - COLT Telecom
e:(nico at securite.org) w:<http://www.securite.org/nico/>
More information about the nsp-security
mailing list