[nsp-sec] Amazon Attack (06/09/2008)

Mon Jun 9 16:01:07 EDT 2008

Hi Dave,

Can you describe the attack characteristics?

Some floods do appear to have come in today from this IP:

 2008-06-09 13:06:20 | http://ad.yandexshit.com/_admin/stat.php |
190.183.60.82 | 72.21.203.1  | www.amazon.com |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
 2008-06-09 13:07:06 | http://vse.ohueli.net/_vse_/stat.php     |
190.183.60.82 | 72.21.203.1  | www.amazon.com |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
 2008-06-09 13:07:41 | http://prosto.pizdos.net/_lol/stat.php   |
190.183.60.82 | 72.21.210.11 | www.amazon.com |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
 2008-06-09 13:07:42 | http://vse.ohueli.net/_vse_/stat.php     |
190.183.60.82 | 72.21.210.11 | www.amazon.com |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#

Still doing some flow triangulation to see if there are any others in the
mix.

-- steve

On 6/9/08 11:49 AM, "Dave Burke" <dave at amazon.com> wrote:

> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> We're under attack again. All ASN's (7224/39111/16509)
> 
> We're seeing Apache/Linux/PHP server hitting us....
> 
> 224     | 129.241.56.151   | UNINETT UNINETT, The Norwegian University &
> Research Network
> 703     | 210.80.187.105   | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 852     | 209.29.150.120   | ASN852 - Telus Advanced Communications
> 1267    | 151.8.99.84      | ASN-INFOSTRADA Infostrada S.p.A.
> 2119    | 195.134.48.84    | TELENOR-NEXTEL T.net
> 2586    | 194.204.43.142   | UNINET-AS AS Uninet
> 3248    | 77.244.242.242   | SIL-AT SILVER SERVER GmbH
> 3292    | 80.232.111.20    | TDC TDC Data Networks
> 3292    | 80.232.111.203   | TDC TDC Data Networks
> 3313    | 194.177.98.149   | INET-AS I.NET S.p.A.
> 3561    | 209.67.63.2      | SAVVIS - Savvis
> 3561    | 216.35.197.52    | SAVVIS - Savvis
> 3561    | 72.21.33.138     | SAVVIS - Savvis
> 3595    | 69.73.160.136    | GNAXNET-AS - Global Net Access, LLC
> 4589    | 89.207.168.12    | EASYNET Easynet Group Plc
> 5413    | 81.21.68.50      | AS5413 GX Networks
> 5606    | 193.226.140.158  | KQRO KPNQwest Romania AS
> 6461    | 62.93.239.142    | MFNX MFN - Metromedia Fiber Network
> 6461    | 62.93.239.144    | MFNX MFN - Metromedia Fiber Network
> 6724    | 81.169.143.210   | STRATO Strato AG
> 6724    | 81.169.145.25    | STRATO Strato AG
> 6724    | 81.169.175.177   | STRATO Strato AG
> 6939    | 66.160.178.217   | HURRICANE - Hurricane Electric
> 8001    | 216.118.97.138   | NET-ACCESS-CORP - Net Access Corporation
> 8001    | 70.47.36.4       | NET-ACCESS-CORP - Net Access Corporation
> 8220    | 213.215.150.210  | COLT COLT Telecommunications
> 8220    | 80.251.162.65    | COLT COLT Telecommunications
> 8289    | 212.37.7.234     | DATAPHONE
> 8304    | 213.218.133.175  | AS8304 ECRITEL Company
> 8434    | 62.119.28.104    | TELENOR-SE Telenor Sweden
> 8434    | 80.81.165.211    | TELENOR-SE Telenor Sweden
> 8560    | 212.227.118.62   | ONEANDONE-AS 1&1 Internet AG
> 8560    | 212.227.29.3     | ONEANDONE-AS 1&1 Internet AG
> 8560    | 74.208.16.115    | ONEANDONE-AS 1&1 Internet AG
> 8560    | 74.208.16.179    | ONEANDONE-AS 1&1 Internet AG
> 8560    | 74.208.16.80     | ONEANDONE-AS 1&1 Internet AG
> 8608    | 62.100.48.20     | QINIP XB Networks B.V.
> 8622    | 85.233.165.91    | ISIONUK Formerly NetDirect Internet Ltd
> 8708    | 82.76.35.141     | RDSNET RCS & RDS S.A.
> 8912    | 62.128.149.72    | NETBENEFIT Group NBT plc (formaly NetBenefit)
> 8972    | 85.25.151.205    | PLUSSERVER-AS PlusServer AG, Germany
> 9150    | 213.207.108.37   | INTERCONNECT InterConnect Services BV
> 9556    | 202.6.141.214    | ADAM-AS-AP Adam Internet Pty Ltd
> 10316   | 69.64.64.72      | ABACUS-NET-AS - Abacus America Inc.
> 10439   | 216.75.30.115    | CARI - San Diego Commercial Internet Exchange
> 10532   | 64.49.216.180    | RACKSPACE - Rackspace.com, Ltd.
> 11022   | 65.109.239.242   | ALABANZA-BALT - Alabanza, Inc.
> 11388   | 209.25.170.22    | MAXIM - Peer 1 Dedicated Hosting
> 12306   | 82.98.82.30      | Plus.Line AG IP-Services
> 12414   | 212.45.63.21     | NL-SOLCON SOLCON-NL
> 12989   | 81.171.99.220    | HWNG Highwinds Network Group, Inc.
> 12996   | 194.63.248.33    | DOMENESHOP Domeneshop AS
> 12996   | 194.63.248.42    | DOMENESHOP Domeneshop AS
> 13030   | 194.126.200.24   | INIT7 Init Seven AG, Zurich, Switzerland
> 13194   | 79.98.25.6       | BITE Bite Lietuva
> 13213   | 83.170.105.36    | UK2NET-AS UK-2 Ltd Autonomous System
> 13224   | 213.147.64.13    | NAIROBINET
> 13594   | 204.209.169.170  | MTC - Microtek Corporation
> 14361   | 209.160.33.97    | HOPONE-GLOBAL - HopOne Internet Corporation
> 14501   | 66.34.224.164    | CIHOST - C I Host
> 15772   | 217.20.175.116   | WNET W-NET Kiev
> 15967   | 77.55.84.2       | NETART NetArt Autonomous System
> 16095   | 86.58.131.39     | JAYNET jay.net a/s
> 16237   | 217.148.95.149   | NXS Nxs Internet BV
> 16245   | 195.47.247.120   | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245   | 195.47.247.134   | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245   | 195.47.247.139   | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245   | 195.47.247.140   | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245   | 195.47.247.44    | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245   | 195.47.247.62    | NGDC NetGroup DataCenter A/S - ngdc.net
> 16265   | 77.75.126.133    | LEASEWEB LEASEWEB AS
> 16265   | 82.192.66.27     | LEASEWEB LEASEWEB AS
> 16276   | 213.251.189.201  | OVH OVH
> 16276   | 213.251.189.203  | OVH OVH
> 16276   | 87.98.222.150    | OVH OVH
> 16276   | 91.121.64.190    | OVH OVH
> 16276   | 91.121.69.137    | OVH OVH
> 17014   | 66.96.128.64     | NAIILLC - North Atlantic Internet, Inc., LLC
> 17379   | 200.157.179.26   | Intelig Telecomunica Ltda
> 17393   | 63.245.198.14    | TRIPNET-HOU - Trip.net, Inc.
> 17819   | 122.201.81.6     | ASN-EQUINIX-AP Equinix Asia Pacific
> 19166   | 64.72.112.158    | ALPHARED-HOUSTON - Alpha Red, INC
> 19166   | 69.80.227.87     | ALPHARED-HOUSTON - Alpha Red, INC
> 19318   | 69.10.35.10      | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
> INTERNET EXCHANGE LLC
> 19318   | 69.10.36.250     | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
> INTERNET EXCHANGE LLC
> 19916   | 69.94.25.47      | ASTRUM-0001 - OLM LLC
> 20218   | 69.27.110.65     | BLACKSUN - Black Sun Inc.
> 20495   | 84.244.149.29    | WEDARE We Dare BV Autonomous System
> 20773   | 80.237.132.79    | HOSTEUROPE-AS AS of Hosteurope Germany /
> Cologne
> 21155   | 81.4.97.189      | ASN-PROSERVE ProServe B.V. Networks
> 21155   | 83.172.148.22    | ASN-PROSERVE ProServe B.V. Networks
> 21844   | 67.19.111.2      | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844   | 67.19.74.18      | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844   | 74.52.104.116    | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844   | 74.54.74.98      | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844   | 74.55.30.114     | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844   | 75.125.150.194   | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 24557   | 117.55.224.113   | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557   | 203.88.117.57    | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557   | 203.88.123.12    | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557   | 203.88.123.6     | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24931   | 78.31.109.72     | DEDIPOWER DediPower Managed Hosting Limited
> 24938   | 81.29.214.195    | TELECITYREDBUS-IT TELECITYREDBUS IT
> 24940   | 213.133.104.107  | HETZNER-AS Hetzner Online AG RZ-Nuernberg
> 24940   | 88.198.201.4     | HETZNER-AS Hetzner Online AG RZ-Nuernberg
> 25525   | 85.92.129.103    | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525   | 85.92.129.106    | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525   | 85.92.129.204    | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525   | 85.92.129.206    | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25532   | 87.242.98.48     | MASTERHOST-AS .masterhost autonomous system
> 25847   | 207.58.166.86    | SERVINT - ServInt Corporation
> 25973   | 203.22.204.159   | MZIMA - Mzima Networks, Inc.
> 25973   | 209.200.224.216  | MZIMA - Mzima Networks, Inc.
> 26300   | 216.174.135.162  | SASK-RESEARCH-NETWORK - SRNet Saskatchewan
> Research Network Inc.
> 26347   | 208.113.133.155  | DREAMHOST-AS - New Dream Network, LLC
> 26347   | 64.111.112.10    | DREAMHOST-AS - New Dream Network, LLC
> 26496   | 64.202.161.130   | PAH-INC - GoDaddy.com, Inc.
> 26496   | 64.202.165.201   | PAH-INC - GoDaddy.com, Inc.
> 27229   | 64.187.101.31    | WEBHOST-ASN1 - Webhosting.Net, Inc.
> 27229   | 64.187.111.71    | WEBHOST-ASN1 - Webhosting.Net, Inc.
> 27715   | 200.234.200.44   | LocaWeb Ltda
> 28907   | 193.178.144.180  | ICG Internet Consulting Group
> 28907   | 193.178.144.48   | ICG Internet Consulting Group
> 29017   | 195.8.196.23     | GYRON ====
> 29131   | 78.129.158.150   | RAPIDSWITCH-AS RapidSwitch Ltd
> 29222   | 84.16.84.54      | INFOMANIAK-AS Infomaniak Network SA
> 29550   | 85.234.147.230   | EUROCONNEX-AS Blueconnex Networks Ltd
> 29650   | 84.51.232.128    | HOSTING365-AS AS Number for Hosting 365
> Ireland Limited
> 29671   | 77.232.68.226    | SERVAGE Servage GmbH
> 29671   | 92.61.146.10     | SERVAGE Servage GmbH
> 29863   | 216.7.185.15     | DATA393 - Data393 Inc.
> 29863   | 65.38.168.196    | DATA393 - Data393 Inc.
> 29873   | 65.254.224.34    | BIZLAND-SD - Endurance International Group,
> Inc.
> 29873   | 65.254.224.35    | BIZLAND-SD - Endurance International Group,
> Inc.
> 29873   | 66.96.128.64     | BIZLAND-SD - Endurance International Group,
> Inc.
> 30083   | 69.64.34.240     | SERVER4YOU - Server4You Inc.
> 30781   | 85.31.205.181    | JAGUAR-AS AS for Jaguar Network
> 30802   | 193.22.244.24    | WEB-MANIA Web Mania
> 31034   | 195.225.168.219  | ARUBA-ASN Aruba.it Network
> 31034   | 85.235.130.15    | ARUBA-ASN Aruba.it Network
> 31673   | 195.69.72.2      | UNISERVER-AS Uniserver Internet C.V.
> 31673   | 83.143.186.59    | UNISERVER-AS Uniserver Internet C.V.
> 31731   | 195.8.208.30     | ADIX-AS ADIX hosting
> 32065   | 216.81.70.192    | VORTECH-INC - Vortech Inc.
> 32244   | 67.225.203.66    | LIQUID-WEB-INC - Liquid Web, Inc.
> 32392   | 71.18.111.224    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 71.18.216.23     | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 72.41.223.208    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 72.41.255.195    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 76.162.253.11    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 76.162.253.54    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 76.163.252.85    | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32392   | 98.131.15.18     | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
> 32475   | 216.104.33.78    | SINGLEHOP-INC - SingleHop
> 33070   | 67.192.190.80    | RMH-14 - Rackspace.com, Ltd.
> 33070   | 72.32.57.155     | RMH-14 - Rackspace.com, Ltd.
> 33182   | 66.7.202.252     | DIMENOC---HOSTDIME - HostDime.com, Inc.
> 33182   | 66.7.205.123     | DIMENOC---HOSTDIME - HostDime.com, Inc.
> 34173   | 80.245.60.68     | MAILCLUB-AS AS for Mailclub - Marseille, France
> 34762   | 217.19.236.151   | COMBELL-AS Combell group NV
> 34788   | 85.13.131.133    | NMM-AS Neue Medien Muennich GmbH
> 34788   | 85.13.135.176    | NMM-AS Neue Medien Muennich GmbH
> 34788   | 85.13.136.87     | NMM-AS Neue Medien Muennich GmbH
> 34788   | 85.13.137.242    | NMM-AS Neue Medien Muennich GmbH
> 35017   | 194.126.173.32   | SWIFTWAY-AS SWIFTWAY Autonomous System
> 35449   | 193.223.101.120  | HWRO-AS SC theVault SRL
> 35569   | 80.93.57.211     | PETERHOST-MOSCOW PeterHost.Ru Hosting
> Provider at Moscow
> 35592   | 87.236.199.52    | COOLHOUSING-AS COOLHOUSING Autonomous System
> 36351   | 67.228.159.131   | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 74.86.204.19     | SOFTLAYER - SoftLayer Technologies Inc.
> 36351   | 75.126.100.74    | SOFTLAYER - SoftLayer Technologies Inc.
> 39023   | 88.80.197.6      | IU-AS InternetUniversum GmbH
> 39451   | 77.240.2.136     | MELBOURNE-AS Melbourne Network Solutions
> connectivity
> 39582   | 89.106.16.243    | GRID Grid Bilisim Teknolojileri A.S.
> 40092   | 208.68.104.107   | LOOSEFOOT - Loose Foot Computing Limited
> 41027   | 195.189.228.18   | NETEX-AS NETEX Company, Kyiv, Ukraine
> 41197   | 89.207.168.12    | SWITCHMEDIA Switch Media PLC
> 41550   | 91.196.0.6       | HBUA-AS HostBizUa network
> 41798   | 91.185.7.197     | TTC-AS Kazakhstan Transtelecom AS Number
> 42363   | 195.144.11.40    | PHPNET-AS AS for PHPNET
> 42612   | 82.98.136.13     | DINAHOSTING-AS ASN de Dinahosting SL
> 42751   | 77.222.33.61     | PETERHOST-MOSCOW-DC2 Concorde Ltd.
> 43362   | 78.108.81.121    | MAJORDOMO MAJORDOMO LLC
> 43560   | 193.34.167.152   | PANTHERIT Panther IT Services
> 44286   | 89.207.144.10    | XIP-AS crossip communications gmbh
> 
> 
> Any help mitigating is appreciated.
> 
> dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFITXse6xddYR6j4jARAj//AJ9AogorO+IPMsjvYsiY8jmQ4ZP+JgCgiz0e
> FiC3xqNgSn7PliMtV2D+yBg=
> =9cZm
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com