[nsp-sec] UDP attack against 62.50.74.122 (AS15650)

Mike Hellers Mike.Hellers at interoute.com
Tue Mar 11 12:57:52 EDT 2008 

All,

AS15650 saw a rather high bandwidth (around 2Gbps) DDOS attack against
one of their customers today (target 62.50.74.122 - AS15650). 

The flows were all UDP, so some of the source addresses might be
spoofed, but looking at some of the source IP's we could identify, I
suspect a lot of them to be real compromised boxes.

 

I would appreciate any insight somebody might have to link this attack
to any known C&C.

 

Attached are some of the the flows as we (AS8928) have seen them. 

 

Here is the list of source IP's based on those flows:

 

156     | 129.10.155.92    | NORTHEASTERN-GW-AS - Northeastern
University

224     | 129.242.219.11   | UNINETT UNINETT, The Norwegian University &
Research Network

553     | 134.2.114.15     | BELWUE Landeshochschulnetz
Baden-Wuerttemberg (BelWue)

680     | 141.30.87.148    | DFN-IP service G-WiN

786     | 130.88.140.239   | JANET The JANET IP Service

1955    | 193.6.142.36     | HBONE-AS HUNGARNET

2501    | 133.11.92.26     | TISK The University of Tokyo, Information
Technology Center

4134    | 125.64.34.63     | CHINANET-BACKBONE No.31,Jin-rong Street

6356    | 128.227.96.61    | NERDCNET - Northeast Regional Data Center

6724    | 81.169.168.28    | STRATO Strato AG

8473    | 213.136.56.60    | BAHNHOF Bahnhof AB

8972    | 62.75.221.160    | INTERGENIA-ASN intergenia autonomous system

8972    | 62.75.222.136    | INTERGENIA-ASN intergenia autonomous system

8972    | 62.75.246.211    | INTERGENIA-ASN intergenia autonomous system

8972    | 85.25.145.117    | INTERGENIA-ASN intergenia autonomous system

8972    | 85.25.67.166     | INTERGENIA-ASN intergenia autonomous system

10439   | 216.75.2.32      | CARI - San Diego Commercial Internet
Exchange

12956   | 216.184.105.14   | TELEFONICA Telefonica Backbone Autonomous
System

13301   | 85.14.218.149    | UNITEDCOLO-AS Autonomous System of
unitedcolo.de

24940   | 213.239.194.99   | HETZNER-AS Hetzner Online AG RZ-Nuernberg

24940   | 85.10.217.131    | HETZNER-AS Hetzner Online AG RZ-Nuernberg

24940   | 88.198.26.100    | HETZNER-AS Hetzner Online AG RZ-Nuernberg

28753   | 217.20.118.68    | NETDIRECT AS NETDIRECT Frankfurt, DE

33210   | 69.41.170.174    | 1-800-HOSTING - 1-800-HOSTING, Inc.

35310   | 85.31.178.250    | PST-NET-AS Peresvet-TeleCom AS

39641   | 193.30.110.203   | ASN-WILLUX Willux.be Networks

41003   | 193.84.20.14     | IP-INTERACTIVE IP-Interactive Colocation /
IP Transit Provider

42311   | 91.190.242.66    | PGHOSTING-DRESDEN
PGHOSTING-DRESDEN-BACKBONE

42366   | 193.84.20.14     | TERRATRANSIT-AS TerraTransit AG

 

...mike

 

-- 

Mike Hellers

Interoute Communications

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flows-62.50.74.122.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080311/e727c41c/attachment-0001.txt>

More information about the nsp-security mailing list