[nsp-sec] Euro 2008 related DDoS attacks?

Jose Nazario jose at arbor.net
Thu Jun 26 21:41:53 EDT 2008 

some of these domains look european football (or futbol or fusbol) 
related. and with euro '08 on ...

these are all black energy botnets. some of these nets may be related or 
hosted on the same box (cnames and vhosts)

DECODED RESPONSES
C&C: 	 http://prosto.pizdos.net/_lol/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;10;2000;2000#flood http spainselecta.com,elfutbolin.com,rcdmallorca.es,realzaragoza.com,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.net<malagacf.es#10#

C&C: 	 http://russia.net.in/_rus/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;20;1000;2000#flood http spainselecta.com,elfutbolin.com,realzaragoza.com,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.net<malagacf.es#10#

C&C: 	 http://googlecomaolcomyahoocomaboutcom.net/yandex/ru/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;20;1000;2000#flood http spainselecta.com,elfutbolin.com,realzaragoza.com,canaldeportivo.com,canaldeportivo.com,rcdmallorca.es,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.net,malagacf.es#10#

C&C: 	 http://turkeyonline.name/online/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;20;1000;2000#flood http spainselecta.com,elfutbolin.com,realzaragoza.com,canaldeportivo.com,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es<www.celtavigo.net,malagacf.es#10#

C&C: 	 http://vse.ohueli.net/_vse_/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;20;1000;2000#flood http spainselecta.com,elfutbolin.com,realzaragoza.com,rcdmallorca.es,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.net<malagacf.es#10#

C&C: 	 http://killgay.com/_p_idrilo/stat.php
CMD: 	 10;2000;5;0;0;30;100;3;20;1000;2000#flood http divaescort.com,realzaragoza.com,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.net,malagacf.es#10#

-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net> 
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/

More information about the nsp-security mailing list