[nsp-sec] Euro 2008 related DDoS attacks?

Chris Calvert Chris.Calvert at telus.com
Fri Jun 27 11:26:47 EDT 2008 

This is definitely something to expect for every major tournament.

For those are aren't following Euro 2008, Spain and Germany play the final
match on Sunday at ~12:45 (GMT-6).  Expect to see related network traffic
during and following the game.  First, perhaps traffic spikes due to
streaming feeds of the game, then perhaps attacks like Jose saw and/or
related spam etc.

Chris

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Serge Droz
> Sent: Friday, June 27, 2008 12:50 AM
> To: Jose Nazario
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Euro 2008 related DDoS attacks?
> 
> ----------- nsp-security Confidential --------
> 
> These are all Spanish clubs.
> Yesterday Russia lost agianst Spain 3:0.
> 
> Oh, well. But the real DoS is the fan miles in the Euro 
> 08-Host cities.
> 
> 
> Cheers from  Euro infected Switzerland
> Serge
> 
> Jose Nazario wrote:
> > ----------- nsp-security Confidential --------
> > 
> > some of these domains look european football (or futbol or fusbol) 
> > related. and with euro '08 on ...
> > 
> > these are all black energy botnets. some of these nets may 
> be related or 
> > hosted on the same box (cnames and vhosts)
> > 
> > DECODED RESPONSES
> > C&C:      http://prosto.pizdos.net/_lol/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;10;2000;2000#flood http 
> > 
> spainselecta.com,elfutbolin.com,rcdmallorca.es,realzaragoza.co
> m,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,
> www.celtavigo.net<malagacf.es#10# 
> > 
> > 
> > C&C:      http://russia.net.in/_rus/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;20;1000;2000#flood http 
> > 
> spainselecta.com,elfutbolin.com,realzaragoza.com,www.fcbarcelo
> na.com,realracingclub.es,www.realvalladolid.es,www.celtavigo.n
> et<malagacf.es#10# 
> > 
> > 
> > C&C:      
> http://googlecomaolcomyahoocomaboutcom.net/yandex/ru/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;20;1000;2000#flood http 
> > 
> spainselecta.com,elfutbolin.com,realzaragoza.com,canaldeportiv
> o.com,canaldeportivo.com,rcdmallorca.es,www.fcbarcelona.com,re
> alracingclub.es,www.realvalladolid.es,www.celtavigo.net,malaga
> cf.es#10# 
> > 
> > 
> > C&C:      http://turkeyonline.name/online/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;20;1000;2000#flood http 
> > 
> spainselecta.com,elfutbolin.com,realzaragoza.com,canaldeportiv
> o.com,www.fcbarcelona.com,realracingclub.es,www.realvalladolid
> .es<www.celtavigo.net,malagacf.es#10# 
> > 
> > 
> > C&C:      http://vse.ohueli.net/_vse_/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;20;1000;2000#flood http 
> > 
> spainselecta.com,elfutbolin.com,realzaragoza.com,rcdmallorca.e
> s,www.fcbarcelona.com,realracingclub.es,www.realvalladolid.es,
> www.celtavigo.net<malagacf.es#10# 
> > 
> > 
> > C&C:      http://killgay.com/_p_idrilo/stat.php
> > CMD:      10;2000;5;0;0;30;100;3;20;1000;2000#flood http 
> > 
> divaescort.com,realzaragoza.com,www.fcbarcelona.com,realracing
> club.es,www.realvalladolid.es,www.celtavigo.net,malagacf.es#10# 
> > 
> > 
> > -------------------------------------------------------------
> > jose nazario, ph.d.     <jose at arbor.net> security 
> researcher, office of 
> > the CTO,  arbor networks
> > v: (734) 821 1427           http://asert.arbornetworks.com/
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security 
> > counter-measures.
> > _______________________________________________
> 
> -- 
> SWITCH
> Serving Swiss Universities
> --------------------------
> Serge Droz, SWITCH-CERT
> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> phone +41 44 268 15 63, fax +41 44 268 15 78
> serge.droz at switch.ch, http://www.switch.ch
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4858 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080627/2e6ff350/attachment-0001.bin>

More information about the nsp-security mailing list