[nsp-sec] ddos in BR - some data
Jose Nazario
jose at arbor.net
Sat Jul 5 15:03:12 EDT 2008
folks
i'm getting reports from a few sources about set of massive DDoS events in
brazil, against telefonica, the BR government, and registro.br.
i don't have any C&C data but i do have some internet stats from ATLAS'
backend. here ya go:
max_pps 150406
avg_pps 37053.68125
max_dur(s) 59158 16.5 h
avg_dur 4257.3625 1.2 h
max_bps 138,779,768 139 Mbps
avg_bps 38,443,610.05 38 Mbps
attack_types {None: 58, 'total': 46, 'tcpsyn': 56}
attack_class {'misuse': 160}
attacks by date {'2008-07-05': 74, '2008-07-04': 68, '2008-07-03': 18}
5 reporting ISPs
sources
xx.xx.125.194 (xx.xx.125.194)
xx.xx.57.194 (xx.xx.57.194)
xx.xx.165.146 (xx.xx.165.146)
xx.xx.47.80 (xx.xx.47.80)
xx.xx.68.244 (xx.xx.68.244)
xx.xx.0.0/0 (xx.xx.0.0/0)
destinations
201009207177.user.veloxzone.com.br (201.9.207.177)
bhe201062187070.res-com.wayinternet.com.br (201.62.187.70)
201009193132.user.veloxzone.com.br (201.9.193.132)
18925142227.user.veloxzone.com.br (189.25.142.227)
189-19-97-53.dsl.telesp.net.br (189.19.97.53)
18971183206.user.veloxzone.com.br (189.71.183.206)
18970108241.user.veloxzone.com.br (189.70.108.241)
201-43-155-90.dsl.telesp.net.br (201.43.155.90)
registro.br (200.160.2.3)
201009194150.user.veloxzone.com.br (201.9.194.150)
201.12.119.219 (201.12.119.219)
189-18-170-46.dsl.telesp.net.br (189.18.170.46)
201.18.137.172 (201.18.137.172)
still digging for C&Cs.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list