[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)

Fri Mar 7 13:29:34 EST 2008

Nic if they can they should block udp 0 <-> udp 0 somewhere upstream.
That accounts for a very large portion of this attack and is invalid:)

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Nicholas Ianelli
> Sent: Friday, March 07, 2008 8:02 AM
> To: 'nsp-security NSP'
> Subject: [nsp-sec] UDP based DDoS attack against 80.65.160.10 
> (AS21196)
> 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

europroNET Bosnia has reported a large scale DDoS attack targeting one
of their IPs (80.65.160.10). All the flows are UDP based, so there may
be some spoofing involved, though the amount of unique sources (listed
below) is quite small.

I've attached the flows they've passed onto us, unfortunately I don't
have timestamps, though we received it at 0635EST.

This is an extortion attempt, pay or the DDoS will continue, any help
anyone can lend in attempting to track down the C&C and get this bad boy
mitigated would be great.

I'll see if I can get some update information to pass along. I'd ask
that you not block access to 80.65.160.10, but if you see UDP(17) flows
to that host, you may have an infected client.

21196   | 80.65.160.10     | EPN-BA-AS europroNET Bosnia Autonomus
System

v4-peer.whois.cymru.com

25144   | 80.65.160.10     | TELEKOM-SRPSKE-AS Telekom Srpske
1659    | 140.137.36.183   | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
1659    | 203.71.86.40     | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
3352    | 217.125.81.158   | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
3561    | 72.232.118.239   | SAVVIS - Savvis
3595    | 209.51.132.250   | GNAXNET-AS - Global Net Access, LLC
4621    | 203.158.221.8    | UNSPECIFIED UNINET-TH
4780    | 59.105.159.123   | SEEDNET Digital United Inc.
5486    | 213.8.178.12     | SMILE-ASN Euronet Digital Communications,
(1992) LTD, Israel
6147    | 200.48.19.226    | Telefonica del Peru S.A.A.
9316    | 125.242.2.136    | DACOM-PUBNETPLUS-AS-KR DACOM PUBNETPLUS
9318    | 121.124.127.21   | HANARO-AS Hanaro Telecom Inc.
11530   | 71.0.1.210       | EMBARQ-MNFD - Embarq Corporation
21844   | 70.85.94.226     | THEPLANET-AS - THE PLANET
21844   | 74.52.29.194     | THEPLANET-AS - THE PLANET
24971   | 89.185.254.237   | MASTER-AS Master Internet s.r.o / Czech
Republic / www.master.cz
27823   | 200.58.112.71    | Dattatec.com
27823   | 200.58.112.96    | Dattatec.com
30217   | 207.234.130.91   | DESYNC - Desync Networks
32244   | 72.52.250.46     | LIQUID-WEB-INC - Liquid Web, Inc.

https://asn.cymru.com/nsp-sec/upload/1204901454.whois.txt

Thanks!
Nick

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFH0VjLi10dJIBjZIARCHdmAJ0RKkSKFxXpelVhMB3pypgLKgQO4ACfTSUb
SE2DragX1CIoEllpZLpNYMI=
=1Tho
-----END PGP SIGNATURE-----
> ----------- nsp-security Confidential --------
> 
> 

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.