[nsp-sec] amazon attack
Chris Morrow
morrowc at ops-netman.net
Fri Jun 6 16:50:56 EDT 2008
On Fri, 6 Jun 2008, Dave Burke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Just consulted withh our networking folks. Where we have 701, we don't
> have the capacity to announce www.amazon.com through it.
>
doh :(
> We're currently recovered and starting to remove the blocks in a phased
> manner.
>
cool.
> Chris Morrow wrote:
>>
>> On Fri, 6 Jun 2008, Dave Burke wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>> We're trying to get one now from the frontend LB.
>>
>> All requests are for: HTTP/1.1 GET
>> http://www.amazon.com/gp/product/B000JO1IPI/ref=s9alfix_c2_at2-rfc_p-2991_g1?redirect=true&pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=14C7VX4RTA06GC04AX7A&pf_rd_t=101&pf_rd_p=397916001&pf_rd_i=507846
>>
>>
>>> I'd note that that is filterable on the guards... so if you had those, or
>>> ping'ed 701's folks for help they could as well.
>>
>>> -Chris
>>
>> dave
>>
>> Smith, Donald wrote:
>>>>> Dave do you have any attack packet details?
>>>>> What address are they attacking www.amazon.com I presume?
>>>>>
>>>>>
>>>>> Security through obscurity WORKS against some worms and ssh attacks:)
>>>>> Donald.Smith at qwest.com giac
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: nsp-security-bounces at puck.nether.net
>>>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dave Burke
>>>>>> Sent: Friday, June 06, 2008 2:09 PM
>>>>>> To: NSP nsp-security
>>>>>> Subject: [nsp-sec] amazon attack
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> FYI,
>>>>>
>>>>> Here is the top 10 offenders we have blocked so far on our border
>>>>>
>>>>> 208.86.157.28/32
>>>>> np-43-142.netpoint.ee (194.204.43.142/32)
>>>>> 149-98-177-194.serverdedicati.seflow.net (194.177.98.149/32)
>>>>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>>>>> 166849-web1.mysticnet.com (67.192.190.80/32)
>>>>> hyatt.domeneshop.no (194.63.248.42/32)
>>>>> 2green.veraserve.com (65.38.168.196/32)
>>>>> dd6832.kasserver.com (85.13.131.133/32)
>>>>> mx.phpnet.org (195.144.11.40/32)
>>>>> esc92.midphase.com (216.104.33.78/32)
>>>>> 66.160.178.217/32
>>>>> ip-216-69-175-89.ip.secureserver.net (216.69.175.89/32)
>>>>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>>>>> web26.webfaction.com (74.54.74.98/32)
>>>>>
>>>>> 208.86.157.28 was being controlled via script from 194.85.89.245
>>>>>
>>>>> I've attached the loc.php script being used.
>>>>>
>>>>> So far, all of the top offenders, we're seeing are linux servers running
>>>>> apache/php
>>>>>
>>>>>
>>>>> dave
>>>>>
>
>>>
>>>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFISaKC6xddYR6j4jARAm82AKCfXLdvw5TXYDDLSkhXEHGHXB2L6QCeOEQj
> sWpod1RFpMI0rvPb+4tsMXc=
> =CgPw
> -----END PGP SIGNATURE-----
>
More information about the nsp-security
mailing list