[nsp-sec] UDP based DDoS attack against 80.65.160.10 (AS21196)

Rob Thomas robt at cymru.com
Sat Mar 8 12:53:19 EST 2008 

Hey, Nick.

Apologies for the tardy response; I was on the road.

> europroNET Bosnia has reported a large scale DDoS attack targeting one
> of their IPs (80.65.160.10). All the flows are UDP based, so there may
> be some spoofing involved, though the amount of unique sources (listed
> below) is quite small.

At least some of the attacks were launched from a combination Windows  
and Unix botnet.  The botnet is located on the #rlz channel on  
64.32.10.177 TCP 6667.  We see 37 bots on the attack channel  
presently.  The miscreant or crew is labeled as "jebac" (no quotes).   
We don't generally bots of different OS combined in one channel, so  
this is fairly rare:

#rlz       [A]UDP48264971 H   ~UDP572351 at UDPLink-CFECB7CA.operating- 
networks.de (Linux operatingcust01.operating-networks.de 2.4.21)
#rlz       [C]UDP37410253 H    
~UDP929979 at UDPLink-8009F69E.skypoint.net (FreeBSD  
matthew.skypoint.net 4.5-RELEASE FreeBSD 4)
#rlz       [A]UDP46308402 H   ~UDP647385 at 67D107C.4C4F7FB1.4A809331.IP  
(Windows NT LAB223SERVER 5.2 build 3790)
#rlz       [A]UDP82437591 H    
~UDP911187 at 76395417.B3290689.E4654BAC.IP (SunOS omega 5.8  
Generic_108528-24 sun4u)
[ ... ]

Some of the attack commands are listed here.  All dates and times are  
UTC/GMT.

2008-03-07 09:12:59  [#rlz] <A>  .udpflood 80.65.160.10 65000 120
2008-03-07 09:23:12  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:22  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:24  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:26  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:33  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:23:43  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:25:32  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:25:33  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:25:33  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:25:33  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:21  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:45  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:45  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:45  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:46  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:46  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:46  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:46  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:26:46  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:27:30  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:27:30  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:27:30  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:28:29  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:28:29  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:28:29  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
2008-03-07 09:28:30  [#rlz] <A>  .udpflood 80.65.160.10 999999 20
[ ... ]

There are a lot of fun sounding channels and channel topics there.

*** #Ikky      12     [+rk] ( PRIVATE )
*** #scan      15     [+ntr] iLeGaiS TeaM - www.ilegais.com ! - Scan  
ON NOT INURL ETC... COMAND !rfi bug dork
*** #balera    1      [+ntr] ( Balera ) | BOTS: ownz.udplink.net |
*** ##ksc##    5      [+ntr] non ci dossate io vado a letto nottola  
********
*** #Services  2      [+ntr] Services Channel
*** #senha     1      [+nt]
*** #GE        1      [+nt]
*** #GI        2      [+ntr] ownz.udplink.net
*** #Jo        1      [+ntr]
*** ##vnc##    2      [+nt]
*** #jbksdfsd  1      [+nt]
*** #albania   2      [+ntr]  Welcome To #Albania Have Nice Stay !!!  
Scan: ON  http://www.attacks.ch/  Internet Radio & Tv Join us and to  
www.ilegais.com ...! 100% Clean Sites Enjoy Your Stay...!!!
*** #baliemhac 4      [+nt]
*** #CMD       3      [+ntrk] ?~~~~~ Entro sem ser convidado?? = KICK/ 
BAN ~~~~~?
*** #UDP       41     [+ntr] Welcome to paradise. WARNING! don't use  
"inurl: allinurl: intitle: intext:" * IRC: irc.udplink.net BOTS:  
ownz.udplink.net HOSP/DOMAIN: http://www.pingohost.com * UDPLink Network
*** #war       5      [+ntr] botnet load on ownz.udplink.net :D
*** #rlz       39     [+sntr] jebac $$$ crew
*** #GameIRC   2      [+ntr] load on ownz.udplink.net
*** #subzid    4      [+ntr] #Subzid/UDPLink: SCAN ONLINE Strings:  
http://www.pucorp.t5.com.br/strings.txt
*** #enchufe   1      [+nt]
*** #6thsense  2      [+ntr] load on ownz.udplink.net
*** #ilegais   8      [+ntr] .::,iLeGaiS TeaM::.  www.ilegais.com   
Mano Apx_ Fora do grupo Temporiariamente =/  || JO RETIRED|| Mas nao  
deixa de ser do Ilegais!

Lots more to investigate there.

Thanks,
Rob.
>

-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);

More information about the nsp-security mailing list