[nsp-sec] udp/53 flood -> 64.39.129.23 - 300Kpps

Lawrence Baldwin baldwinl at mynetwatchman.com
Tue Jul 29 12:52:36 EDT 2008 

Payload looked like this...exact same from both sourceIPs:

0000   00 0b fd db 1e 3f 00 90 69 39 64 1f 08 00 45 00  .....?..i9d...E.
0010   00 2b 72 d2 40 00 35 11 5a 85 5b 79 5b b3 40 27  .+r. at .5.Z.[y[.@'
0020   81 17 e4 3b 00 35 00 17 d4 53 30 31 32 33 34 35  ...;.5...S012345
0030   36 37 38 39 41 42 43 44 45 00 00 00              6789ABCDE... 

Based on TTL analysis, traffic does NOT appear to have been spoofed.

Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Alpharetta, GA
+1.678.624.0924
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Lawrence Baldwin
Sent: Tuesday, July 29, 2008 12:13
To: nsp-security at puck.nether.net
Subject: [nsp-sec] udp/53 flood -> 64.39.129.23 - 300Kpps

----------- nsp-security Confidential --------


One of my customers just called a few minutes ago...thinking they were being
DDoSed..upon looking at the traffic we're seeing tremendous inbound udp/53
traffic.:

# Fields:    Total
# Symbols:   Disabled
# Sorting:   Descending Field 4
# Name:      Source/Destination IP
#
# Args:      flow-stat -f 10 -S 4
#
#
# src IPaddr     dst IPaddr       flows                 octets
packets
#
193.230.175.3    64.39.129.23     11                    70392634
1637038
91.121.91.179    64.39.129.23     11                    70208035
1632745

Above is about 2 minutes of *sampled* netflow.

193.230.175.3|6746||ro|astral.ro|abuse at astral.ro
91.121.91.179|16276|||ovh.net|abuse at ovh.net


The nature of the IPs does NOT make sense that this would be poisoning
attempts:

..I don't have full payload yet but suspecting this may be poisoning
activity

91.121.91.179
HTTP:Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
SMTP:220 zx12r-clubdefrance.org ESMTP Postfix (Debian/GNU) 

193.230.175.3	upc.topnet.ro		A


Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Alpharetta, GA
+1.678.624.0924



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list