[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)

Nicholas Ianelli ni at cert.org
Fri Mar 7 10:01:32 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

europroNET Bosnia has reported a large scale DDoS attack targeting one
of their IPs (80.65.160.10). All the flows are UDP based, so there may
be some spoofing involved, though the amount of unique sources (listed
below) is quite small.

I've attached the flows they've passed onto us, unfortunately I don't
have timestamps, though we received it at 0635EST.

This is an extortion attempt, pay or the DDoS will continue, any help
anyone can lend in attempting to track down the C&C and get this bad boy
mitigated would be great.

I'll see if I can get some update information to pass along. I'd ask
that you not block access to 80.65.160.10, but if you see UDP(17) flows
to that host, you may have an infected client.


21196   | 80.65.160.10     | EPN-BA-AS europroNET Bosnia Autonomus System

v4-peer.whois.cymru.com

25144   | 80.65.160.10     | TELEKOM-SRPSKE-AS Telekom Srpske



1659    | 140.137.36.183   | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
1659    | 203.71.86.40     | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
3352    | 217.125.81.158   | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
3561    | 72.232.118.239   | SAVVIS - Savvis
3595    | 209.51.132.250   | GNAXNET-AS - Global Net Access, LLC
4621    | 203.158.221.8    | UNSPECIFIED UNINET-TH
4780    | 59.105.159.123   | SEEDNET Digital United Inc.
5486    | 213.8.178.12     | SMILE-ASN Euronet Digital Communications,
(1992) LTD, Israel
6147    | 200.48.19.226    | Telefonica del Peru S.A.A.
9316    | 125.242.2.136    | DACOM-PUBNETPLUS-AS-KR DACOM PUBNETPLUS
9318    | 121.124.127.21   | HANARO-AS Hanaro Telecom Inc.
11530   | 71.0.1.210       | EMBARQ-MNFD - Embarq Corporation
21844   | 70.85.94.226     | THEPLANET-AS - THE PLANET
21844   | 74.52.29.194     | THEPLANET-AS - THE PLANET
24971   | 89.185.254.237   | MASTER-AS Master Internet s.r.o / Czech
Republic / www.master.cz
27823   | 200.58.112.71    | Dattatec.com
27823   | 200.58.112.96    | Dattatec.com
30217   | 207.234.130.91   | DESYNC - Desync Networks
32244   | 72.52.250.46     | LIQUID-WEB-INC - Liquid Web, Inc.

https://asn.cymru.com/nsp-sec/upload/1204901454.whois.txt

Thanks!
Nick


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFH0VjLi10dJIBjZIARCHdmAJ0RKkSKFxXpelVhMB3pypgLKgQO4ACfTSUb
SE2DragX1CIoEllpZLpNYMI=
=1Tho
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flow_from_our_routers.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080307/6f55b77d/attachment-0001.txt>

More information about the nsp-security mailing list