[nsp-sec] contact at Turk Telekom ? botnet periodically attacking google.

Peter Moody pmoody at google.com
Sat Mar 1 13:29:03 EST 2008 

Here you go. the top ~1800 ips for the attack on the 27th.

(crosses fingers that puck will let me attach this)

Cheers,
.peter

On Sat, Mar 1, 2008 at 8:28 AM, Stephen Gill <gillsr at cymru.com> wrote:
> Do you have a full list of the Ips from 02/27 handy?
>
>  Thanks!
>  -- steve
>
>  On 2/29/08 8:24 PM, "Peter Moody" <pmoody at google.com> wrote:
>
>  > ----------- nsp-security Confidential --------
>
>
> >
>  > hey folks,
>  >
>  > I just got this from one of our security engineers.  any help on this
>  > would be greatly appreciated. Times are in pst.
>  >
>  > A botnet of about 1500 IPs hit us on 2008-02-22 13:54-13:56.  Bots
>  > were very simple, with only a Host: header.
>  > A larger botnet (2000+ IPs) hit us on 2008-02-27 05:03-05:06.  Bots
>  > were slightly more advanced... they had a User-Agent: header also.
>  > A third attack (about 850 IPs) hit us on 2008-02-29 09:29-09:32.  Bots
>  > now added a Referer: header to the mix.
>  >
>  > Each attack was capable of sending more than 10,000 requests/second.
>  > Nearly all hosts appear to be in Turk Telekom space.  It's slightly
>  > strange that the botnet isn't more geographically diverse, but that's
>  > not too uncommon.  Most disturbing is that they appear to be actively
>  > improving their code, and these short attacks may be testing for a
>  > larger attack from a more global botnet in the future.
>  >
>  > Curiously, there was little overlap between the hosts in the three
>  > attacks.  The first two only had 21 bots in common, the third had
>  > none.  The IPs shared by the first two attacks were:
>  >
>  > 6830    | 62.178.212.8     | UPC UPC Broadband
>  > 6830    | 80.108.92.3      | UPC UPC Broadband
>  > 6830    | 80.109.74.11     | UPC UPC Broadband
>  > 9121    | 81.213.196.33    | TTNET TTnet Autonomous System
>  > 9121    | 85.104.3.47      | TTNET TTnet Autonomous System
>  > 9121    | 85.105.109.221   | TTNET TTnet Autonomous System
>  > 9121    | 85.105.2.102     | TTNET TTnet Autonomous System
>  > 9121    | 85.105.62.25     | TTNET TTnet Autonomous System
>  > 9121    | 85.110.170.188   | TTNET TTnet Autonomous System
>  > 9121    | 88.226.229.106   | TTNET TTnet Autonomous System
>  > 9121    | 88.227.190.187   | TTNET TTnet Autonomous System
>  > 9121    | 88.229.77.67     | TTNET TTnet Autonomous System
>  > 9121    | 88.230.200.217   | TTNET TTnet Autonomous System
>  > 9121    | 88.232.42.82     | TTNET TTnet Autonomous System
>  > 9121    | 88.241.174.251   | TTNET TTnet Autonomous System
>  > 9121    | 88.242.253.13    | TTNET TTnet Autonomous System
>  > 9121    | 88.248.248.208   | TTNET TTnet Autonomous System
>  > 9121    | 88.248.85.128    | TTNET TTnet Autonomous System
>  > 9121    | 88.249.31.104    | TTNET TTnet Autonomous System
>  > 9121    | 88.250.226.236   | TTNET TTnet Autonomous System
>  > 12322   | 82.244.179.64    | PROXAD AS for Proxad/Free ISP
>  >
>  > Cheers,
>  > .peter
>  >
>
>  --
>  Stephen Gill, Chief Scientist, Team Cymru
>  http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list