[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)
Tim Wilde
twilde at cymru.com
Fri Mar 7 13:06:36 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nicholas Ianelli wrote:
| europroNET Bosnia has reported a large scale DDoS attack targeting one
| of their IPs (80.65.160.10). All the flows are UDP based, so there may
| be some spoofing involved, though the amount of unique sources (listed
| below) is quite small.
|
| I've attached the flows they've passed onto us, unfortunately I don't
| have timestamps, though we received it at 0635EST.
|
| This is an extortion attempt, pay or the DDoS will continue, any help
| anyone can lend in attempting to track down the C&C and get this bad boy
| mitigated would be great.
Nick,
At least one of the source IPs you listed was talking to the following
C&C (listed in DDoS-RS) at 2008-03-02 23:47:03:
30058 | FDCSERVERS - FDC Servers.net, LLC | 208.98.32.147 | tcp |
8585 | 2008-03-01 08:59:02 | 2008-03-09 08:59:02 | bot | 0 | 0 | ID:
servidor.virtualife.com.br
And another was connected to an Undernet botnet at 2008-02-14 13:21:34.
They look largely like Linux boxes, though there are a few Windows boxes
thrown in. A couple have also been seen hosting malware URLs and
phishing sites, not too surprising seeing as they're compromised *NIX boxes.
We're still digging for better correlation on a C&C, but, as I said,
that particular one above was talking to at least one of your attackers
pretty recently.
Regards,
Tim
- --
Tim Wilde, Manager of Development, Team Cymru
twilde at cymru.com | +1-312-924-4033 | http://www.cymru.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH0YQsluRbRini9tgRAnidAJ0RSGZuhHjeshHYc4SBNcDZXyXA1gCfU2WK
v05RxUFe1j28e/UtJJw8K60=
=hcU6
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list