[nsp-sec] contact at Turk Telekom ? botnet periodically attacking google.

Stephen Gill gillsr at cymru.com
Sat Mar 1 11:28:59 EST 2008 

Do you have a full list of the Ips from 02/27 handy?

Thanks!
-- steve

On 2/29/08 8:24 PM, "Peter Moody" <pmoody at google.com> wrote:

> ----------- nsp-security Confidential --------
> 
> hey folks,
> 
> I just got this from one of our security engineers.  any help on this
> would be greatly appreciated. Times are in pst.
> 
> A botnet of about 1500 IPs hit us on 2008-02-22 13:54-13:56.  Bots
> were very simple, with only a Host: header.
> A larger botnet (2000+ IPs) hit us on 2008-02-27 05:03-05:06.  Bots
> were slightly more advanced... they had a User-Agent: header also.
> A third attack (about 850 IPs) hit us on 2008-02-29 09:29-09:32.  Bots
> now added a Referer: header to the mix.
> 
> Each attack was capable of sending more than 10,000 requests/second.
> Nearly all hosts appear to be in Turk Telekom space.  It's slightly
> strange that the botnet isn't more geographically diverse, but that's
> not too uncommon.  Most disturbing is that they appear to be actively
> improving their code, and these short attacks may be testing for a
> larger attack from a more global botnet in the future.
> 
> Curiously, there was little overlap between the hosts in the three
> attacks.  The first two only had 21 bots in common, the third had
> none.  The IPs shared by the first two attacks were:
> 
> 6830    | 62.178.212.8     | UPC UPC Broadband
> 6830    | 80.108.92.3      | UPC UPC Broadband
> 6830    | 80.109.74.11     | UPC UPC Broadband
> 9121    | 81.213.196.33    | TTNET TTnet Autonomous System
> 9121    | 85.104.3.47      | TTNET TTnet Autonomous System
> 9121    | 85.105.109.221   | TTNET TTnet Autonomous System
> 9121    | 85.105.2.102     | TTNET TTnet Autonomous System
> 9121    | 85.105.62.25     | TTNET TTnet Autonomous System
> 9121    | 85.110.170.188   | TTNET TTnet Autonomous System
> 9121    | 88.226.229.106   | TTNET TTnet Autonomous System
> 9121    | 88.227.190.187   | TTNET TTnet Autonomous System
> 9121    | 88.229.77.67     | TTNET TTnet Autonomous System
> 9121    | 88.230.200.217   | TTNET TTnet Autonomous System
> 9121    | 88.232.42.82     | TTNET TTnet Autonomous System
> 9121    | 88.241.174.251   | TTNET TTnet Autonomous System
> 9121    | 88.242.253.13    | TTNET TTnet Autonomous System
> 9121    | 88.248.248.208   | TTNET TTnet Autonomous System
> 9121    | 88.248.85.128    | TTNET TTnet Autonomous System
> 9121    | 88.249.31.104    | TTNET TTnet Autonomous System
> 9121    | 88.250.226.236   | TTNET TTnet Autonomous System
> 12322   | 82.244.179.64    | PROXAD AS for Proxad/Free ISP
> 
> Cheers,
> .peter
> 

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list