[nsp-sec] amazon attack
Dave Burke
dave at amazon.com
Fri Jun 6 16:48:02 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just consulted withh our networking folks. Where we have 701, we don't
have the capacity to announce www.amazon.com through it.
We're currently recovered and starting to remove the blocks in a phased
manner.
Chris Morrow wrote:
>
> On Fri, 6 Jun 2008, Dave Burke wrote:
>
>> ----------- nsp-security Confidential --------
>>
> We're trying to get one now from the frontend LB.
>
> All requests are for: HTTP/1.1 GET
> http://www.amazon.com/gp/product/B000JO1IPI/ref=s9alfix_c2_at2-rfc_p-2991_g1?redirect=true&pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=14C7VX4RTA06GC04AX7A&pf_rd_t=101&pf_rd_p=397916001&pf_rd_i=507846
>
>
>> I'd note that that is filterable on the guards... so if you had those, or
>> ping'ed 701's folks for help they could as well.
>
>> -Chris
>
> dave
>
> Smith, Donald wrote:
>>>> Dave do you have any attack packet details?
>>>> What address are they attacking www.amazon.com I presume?
>>>>
>>>>
>>>> Security through obscurity WORKS against some worms and ssh attacks:)
>>>> Donald.Smith at qwest.com giac
>>>>
>>>>> -----Original Message-----
>>>>> From: nsp-security-bounces at puck.nether.net
>>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dave Burke
>>>>> Sent: Friday, June 06, 2008 2:09 PM
>>>>> To: NSP nsp-security
>>>>> Subject: [nsp-sec] amazon attack
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> FYI,
>>>>
>>>> Here is the top 10 offenders we have blocked so far on our border
>>>>
>>>> 208.86.157.28/32
>>>> np-43-142.netpoint.ee (194.204.43.142/32)
>>>> 149-98-177-194.serverdedicati.seflow.net (194.177.98.149/32)
>>>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>>>> 166849-web1.mysticnet.com (67.192.190.80/32)
>>>> hyatt.domeneshop.no (194.63.248.42/32)
>>>> 2green.veraserve.com (65.38.168.196/32)
>>>> dd6832.kasserver.com (85.13.131.133/32)
>>>> mx.phpnet.org (195.144.11.40/32)
>>>> esc92.midphase.com (216.104.33.78/32)
>>>> 66.160.178.217/32
>>>> ip-216-69-175-89.ip.secureserver.net (216.69.175.89/32)
>>>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>>>> web26.webfaction.com (74.54.74.98/32)
>>>>
>>>> 208.86.157.28 was being controlled via script from 194.85.89.245
>>>>
>>>> I've attached the loc.php script being used.
>>>>
>>>> So far, all of the top offenders, we're seeing are linux servers running
>>>> apache/php
>>>>
>>>>
>>>> dave
>>>>
>>
>>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
>>
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFISaKC6xddYR6j4jARAm82AKCfXLdvw5TXYDDLSkhXEHGHXB2L6QCeOEQj
sWpod1RFpMI0rvPb+4tsMXc=
=CgPw
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list