[nsp-sec] Priceline
BATTLES, TIMOTHY A (TIM), ATTLABS
tmbattles at att.com
Wed Jul 23 15:26:41 EDT 2008
13:40 GMT July 22nd. It died off right around 00:00 GMT and then picked
back up again the same time today at 13:40 GMT.
Yesterday there were only a couple thousand zombies sending lots of
request, up to 20,000. Today, they changed the vector to 30,000+ zombies
making ~5-20 request. Mostly are european sources.
Here is one of the agent logs
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRSPUTNIK 2, 0,
0, 20 SW; MRA 5.0 (build 02094); .NET CLR 2.0.50727)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html;
MRSPUTNIK 1, 8, 0, 17 HW; WebMoney Advisor; MRA 4.10 (build 01952);
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR
2.0.50727; .NET CLR 3.0.04506.03)
Obviously not coming from googlebot.
-----Original Message-----
From: Rob Thomas [mailto:robt at cymru.com]
Sent: Wednesday, July 23, 2008 2:16 PM
To: BATTLES, TIMOTHY A (TIM), ATTLABS
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Priceline
Hey, Tim.
So far I've come up with bupkes. Any idea of when this started in
UTC/GMT?
Thanks!
Rob.
BATTLES, TIMOTHY A (TIM), ATTLABS wrote:
> ----------- nsp-security Confidential --------
>
>
> Priceline is currently experiencing a DDOS attack. HTTP zombie gets
> destined to 64.6.17.1. Looking to try and catch the bot controller
> behind this. The attack is being mitigated and priceline is up and
100%
> operational. Any assistance in tracking this would be appreciated.
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Timothy A Battles
> AT&T IP Network Security Group
> Work: (314)770-3326
> Cell: (314)280-4578
> Fax: (314)770-9568
> Email: tmbattles at att.com
> 12976 Hollenberg Drive
> Bridgeton, MO 63044-2407
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list