[nsp-sec] DDOS to 163.6.5.36 ongoing
Patrick Bergen
pbergen at uen.org
Tue Mar 25 11:09:26 EDT 2008
Starting approx 13:10 (UTC) today we started taking a tcp syn attack
directed to 163.6.5.36.
This was the host www.davis.k12.ut.us.
This host is the webserver for a large school district. We changed all the
dns to:
host www.davis.k12.ut.us
www.davis.k12.ut.us has address 163.6.5.80
Other DNS records attached to the former address were
webserv.davis.k12.ut.us
Davis.k12.ut.us
I¹m still seeing quite a few hits to the old IP, guessing they are spoofed.
Can you all search syn flows to either 67.172.245.50 or 163.6.5.80 anytime
after 13:10 today?
Here is a list I scraped together of the top talkers a few mins ago.
209 | 65.124.208.238 | ASN-QWEST - Qwest
209 | 71.34.148.31 | ASN-QWEST - Qwest
209 | 75.165.237.243 | ASN-QWEST - Qwest
400 | 137.241.250.100 | AFCONC-BLOCK1-AS - Headquarters Standard
Systems Center
400 | 137.241.250.101 | AFCONC-BLOCK1-AS - Headquarters Standard
Systems Center
577 | 64.230.82.116 | BACOM - Bell Canada
577 | 69.156.98.66 | BACOM - Bell Canada
701 | 208.252.23.50 | UUNET - MCI Communications Services, Inc. d/b/a
Verizon Business
719 | 91.153.159.128 | ELISA-AS Elisa Oyj
812 | 99.248.25.181 | ROGERS-CABLE - Rogers Cable Communications Inc.
852 | 205.206.90.53 | ASN852 - Telus Advanced Communications
852 | 209.89.83.84 | ASN852 - Telus Advanced Communications
855 | 142.167.108.94 | CANET-ASN-4 - Bell Aliant
1241 | 77.49.104.151 | FORTHNET-GR FORTHnet
1241 | 77.49.187.116 | FORTHNET-GR FORTHnet
1257 | 83.182.170.240 | TELE2
1668 | 172.143.101.98 | AOL-ATDN - AOL Transit Data Network
1668 | 172.188.135.202 | AOL-ATDN - AOL Transit Data Network
1680 | 85.250.73.1 | NetVision Ltd.
2119 | 85.165.147.33 | TELENOR-NEXTEL T.net
2119 | 88.88.32.125 | TELENOR-NEXTEL T.net
2119 | 88.88.32.197 | TELENOR-NEXTEL T.net
2119 | 88.89.193.247 | TELENOR-NEXTEL T.net
2119 | 88.90.29.101 | TELENOR-NEXTEL T.net
2119 | 88.90.29.85 | TELENOR-NEXTEL T.net
2529 | 62.56.106.215 | DEMON-INTERNET Demon Internet
2856 | 86.130.164.187 | BT-UK-AS BTnet UK Regional network
2856 | 86.132.207.159 | BT-UK-AS BTnet UK Regional network
2856 | 86.147.156.155 | BT-UK-AS BTnet UK Regional network
2856 | 86.150.140.57 | BT-UK-AS BTnet UK Regional network
2860 | 89.180.133.17 | NOVIS Novis Telecom, S.A.
3209 | 88.64.8.35 | Arcor IP-Network
3209 | 88.65.33.178 | Arcor IP-Network
3215 | 86.207.41.153 | AS3215 France Telecom - Orange
3215 | 90.0.253.147 | AS3215 France Telecom - Orange
3215 | 90.1.104.183 | AS3215 France Telecom - Orange
3215 | 90.50.215.181 | AS3215 France Telecom - Orange
3249 | 80.235.56.82 | ESTPAK Estonian Telephone Company Ltd.
3269 | 79.13.117.67 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.3.147.142 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.9.117.92 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.11.149.155 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.11.187.40 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.11.92.47 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.16.163.198 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.19.22.8 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.2.208.19 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.7.137.3 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.50.156.210 | ASN-IBSNAZ TELECOM ITALIA
3292 | 217.61.114.10 | TDC TDC Data Networks
3292 | 83.89.118.119 | TDC TDC Data Networks
3301 | 78.69.203.206 | TELIANET-SWEDEN TeliaNet Sweden
3301 | 81.236.14.19 | TELIANET-SWEDEN TeliaNet Sweden
3301 | 90.227.15.165 | TELIANET-SWEDEN TeliaNet Sweden
3301 | 90.230.118.21 | TELIANET-SWEDEN TeliaNet Sweden
3308 | 62.198.198.250 | TELIANET-DENMARK TeliaNet Denmark
3340 | 195.56.15.249 | DataNet Telecommunication Ltd.
3340 | 91.120.161.166 | DataNet Telecommunication Ltd.
3352 | 217.126.169.135 | TELEFONICA-DATA-ESPANA Internet Access Network
of TDE
3462 | 59.127.202.4 | HINET Data Communication Business Group
4230 | 200.244.105.2 | Embratel
4589 | 90.192.165.152 | EASYNET Easynet Group Plc
4589 | 90.198.23.137 | EASYNET Easynet Group Plc
4713 | 60.47.207.145 | OCN NTT Communications Corporation
4766 | 121.164.176.27 | KIXS-AS-KR Korea Telecom
5089 | 80.1.145.73 | NTL NTL Group Limited
5089 | 81.101.25.103 | NTL NTL Group Limited
5089 | 81.104.192.139 | NTL NTL Group Limited
5089 | 81.98.229.123 | NTL NTL Group Limited
5089 | 82.23.221.50 | NTL NTL Group Limited
5089 | 82.28.231.133 | NTL NTL Group Limited
5089 | 82.28.245.17 | NTL NTL Group Limited
5089 | 86.21.76.80 | NTL NTL Group Limited
5089 | 86.8.63.174 | NTL NTL Group Limited
5391 | 78.0.117.227 | T-HT T-Com Croatia Internet network
5391 | 83.131.75.73 | T-HT T-Com Croatia Internet network
5462 | 77.98.233.224 | CABLEINET Telewest Broadband
5466 | 86.42.199.187 | EIRCOM Eircom
5515 | 80.223.207.160 | TS-FINLAND-DATANET-OLD TS Finland DataNet
5515 | 88.193.53.113 | TS-FINLAND-DATANET-OLD TS Finland DataNet
5610 | 194.228.244.146 | CZECHTELECOM CZECH TELECOM, a.s
5610 | 90.177.193.61 | CZECHTELECOM CZECH TELECOM, a.s
5690 | 209.91.186.24 | VIANET-NO - Via Computer and Communications
(ViaNet)
5760 | 216.195.178.78 | BIDDEFORD1 - Biddeford Internet Corp
5769 | 24.201.13.163 | VIDEOTRON - Videotron Telecom Ltee
5769 | 69.51.216.103 | VIDEOTRON - Videotron Telecom Ltee
5769 | 74.57.46.121 | VIDEOTRON - Videotron Telecom Ltee
6380 | 68.209.180.11 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6385 | 74.228.142.38 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6389 | 68.153.117.98 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6407 | 207.112.118.16 | PRIMUS-AS6407 - Primus Telecommunications
Canada Inc.
6621 | 67.45.141.50 | HNS-DIRECPC - Hughes Network Systems
6677 | 85.220.37.39 | ICENET-AS1 *********************************
6785 | 85.83.55.38 | CYBERCITY Cybercity A/S
6799 | 79.130.173.234 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
ISP
6799 | 87.202.188.174 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
ISP
6799 | 87.202.234.219 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
ISP
6830 | 77.249.9.12 | UPC UPC Broadband
6830 | 85.127.178.233 | UPC UPC Broadband
6848 | 78.20.66.34 | TELENET-AS Telenet Operaties N.V.
7132 | 64.219.79.205 | SBIS-AS - AT&T Internet Services
7132 | 68.21.244.29 | SBIS-AS - AT&T Internet Services
7132 | 68.92.52.150 | SBIS-AS - AT&T Internet Services
7132 | 69.210.135.53 | SBIS-AS - AT&T Internet Services
7132 | 69.233.24.125 | SBIS-AS - AT&T Internet Services
7132 | 75.25.190.133 | SBIS-AS - AT&T Internet Services
7132 | 76.194.221.180 | SBIS-AS - AT&T Internet Services
7132 | 76.238.155.143 | SBIS-AS - AT&T Internet Services
7602 | 116.118.6.34 | SPT-AS-VN Saigon Postel Corporation
7643 | 192.168.1.13 | VNN-AS-AP Vietnam Posts and Telecommunications
(VNPT)
7725 | 71.199.168.149 | CCH-AS7 - Comcast Cable Communications
Holdings, Inc
7725 | 98.193.235.221 | CCH-AS7 - Comcast Cable Communications
Holdings, Inc
7738 | 189.13.213.51 | Telecomunicacoes da Bahia S.A.
7738 | 189.81.6.230 | Telecomunicacoes da Bahia S.A.
7949 | 65.183.191.20 | WMIS-AS - West Michigan Internet Services
7992 | 24.57.192.235 | COGECOWAVE - Cogeco Cable
8167 | 189.11.221.178 | TELESC - Telecomunicacoes de Santa Catarina SA
8341 | 84.105.241.244 | QUICKNET MultiKabel QuickNet Netherlands
8452 | 41.235.210.91 | TEDATA TEDATA
8468 | 78.32.69.118 | ENTANET ENTANET International Ltd
8708 | 213.157.179.194 | RDSNET RCS & RDS S.A.
8708 | 81.196.154.204 | RDSNET RCS & RDS S.A.
8708 | 86.124.60.17 | RDSNET RCS & RDS S.A.
8708 | 89.34.86.163 | RDSNET RCS & RDS S.A.
8737 | 84.81.41.157 | PT KPN Internet Solutions
8737 | 86.87.22.164 | PT KPN Internet Solutions
8737 | 86.94.50.175 | PT KPN Internet Solutions
9050 | 89.122.151.108 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 89.123.118.139 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 89.123.41.247 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 89.123.87.163 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 89.42.211.12 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 92.81.176.9 | RTD RTD-ROMTELECOM Autonomous System Number
9050 | 92.81.73.147 | RTD RTD-ROMTELECOM Autonomous System Number
9105 | 88.106.210.87 | TISCALI-UK Tiscali UK
9105 | 88.108.210.136 | TISCALI-UK Tiscali UK
9143 | 84.31.59.202 | ATHOME-BENELUX-BV AtHome Benelux BV provides
broadband ISP services
9299 | 122.55.198.44 | IPG-AS-AP Philippine Long Distance Telephone
Company
9498 | 122.163.165.243 | BBIL-AP BHARTI BT INTERNET LTD.
9498 | 122.167.91.123 | BBIL-AP BHARTI BT INTERNET LTD.
9829 | 117.199.96.181 | BSNL-NIB National Internet Backbone
9829 | 117.199.97.183 | BSNL-NIB National Internet Backbone
9829 | 218.248.68.63 | BSNL-NIB National Internet Backbone
9919 | 220.229.85.216 | NCIC-TW New Century InfoComm Tech Co., Ltd.
10139 | 125.60.240.197 | SMARTBRO-PH-AP Smart Broadband, Inc.
10620 | 200.118.182.19 | TV Cable S.A.
10796 | 76.181.116.110 | SCRR-10796 - Road Runner HoldCo LLC
10994 | 65.34.12.110 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
10994 | 72.178.243.141 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
11052 | 159.212.71.200 | IHC-NET - Intermountain Health Care
11052 | 159.212.71.25 | IHC-NET - Intermountain Health Care
11351 | 74.78.154.26 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
11426 | 75.181.167.201 | SCRR-11426 - Road Runner HoldCo LLC
11530 | 71.1.163.159 | EMBARQ-MNFD - Embarq Corporation
11550 | 66.244.123.104 | SDL-20-AS - Smithville Digital, LLC
12322 | 82.232.241.134 | PROXAD AS for Proxad/Free ISP
12322 | 82.238.115.126 | PROXAD AS for Proxad/Free ISP
12322 | 88.167.137.229 | PROXAD AS for Proxad/Free ISP
12479 | 85.58.75.176 | UNI2-AS Uni2 Autonomous System
12513 | 82.153.63.185 | ECLIPSE Eclipse Internet
12715 | 87.220.52.21 | JAZZNET Jazz Telecom S.A.
12715 | 87.220.53.27 | JAZZNET Jazz Telecom S.A.
12876 | 83.156.24.177 | AS12876 Telecom Italia France
13046 | 89.164.157.27 | ASN-ISKON ISKON
13127 | 87.211.105.246 | VERSATEL AS for the Trans-European Versatel IP
Transport backbone
13127 | 87.212.140.163 | VERSATEL AS for the Trans-European Versatel IP
Transport backbone
13184 | 92.224.2.233 | HANSENET HanseNet Telekommunikation GmbH
13280 | 62.40.57.125 | O2 Ireland
13280 | 89.204.196.222 | O2 Ireland
14382 | 208.80.72.10 | ESC13 - Education Service Center
14464 | 158.123.200.2 | RINET - Rhode Island Network for Educ.
Technology
15670 | 62.177.151.242 | BBNED-AS
15962 | 213.151.212.218 | ORANGE SLOVENSKO Autonomous system
17488 | 125.99.108.130 | HATHWAY-NET-AP Hathway IP Over Cable Internet
17488 | 60.243.172.105 | HATHWAY-NET-AP Hathway IP Over Cable Internet
18002 | 202.89.74.243 | WORLDPHONE-IN AS Number for Interdomain Routing
19262 | 71.249.7.30 | VZGNI-TRANSIT - Verizon Internet Services Inc.
20057 | 32.142.12.101 | AT&T Wireless Service
20115 | 75.134.107.108 | CHARTER-NET-HKY-NC - Charter Communications
20214 | 71.203.155.16 | CCCH-AS6 - Comcast Cable Communications
Holdings, Inc
20804 | 81.15.165.8 | ASN-TELENERGO EXATEL S.A. Autonomous System
22047 | 201.215.162.226 | VTR BANDA ANCHA S.A.
22291 | 68.186.63.195 | CHARTER-LA - Charter Communications
22442 | 205.196.190.199 | HOU-PHONOSCOPE - PHONOSCOPE
22615 | 66.244.123.104 | MONROECOUNTYCOMMSCH - Monroe County Community
School Corporation
22773 | 70.180.42.208 | CCINET-2 - Cox Communications Inc.
23674 | 58.65.160.188 | MBL-AS-AP Micronet Broadband (Pvt) Ltd.
23700 | 118.137.18.176 | BM-AS-ID PT. Broadband Multimedia, Tbk
24863 | 196.205.130.8 | LINKdotNET-AS
24863 | 41.196.227.201 | LINKdotNET-AS
24971 | 81.31.45.131 | MASTER-AS Master Internet s.r.o / Czech
Republic / www.master.cz
25002 | 81.88.239.131 | AEMCOM-AS AEMCOM Srl multicommunication company
25036 | 81.90.175.201 | TERMSNET-AS TERMSnet Autonomous System
25472 | 91.140.76.151 | EVERGY-AS Evergy S.A.,
27364 | 24.154.168.179 | ACS-INTERNET - Armstrong Cable Services
28573 | 189.4.205.248 | NET Servicos de Comunicao S.A.
30799 | 91.146.236.30 | AIRBITES-AS Air Bites Polska
31661 | 87.72.68.178 | COMX ComX Networks A/S
33651 | 76.20.77.225 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33660 | 98.202.113.47 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33774 | 41.201.235.139 | DJAWEB
33774 | 41.201.244.147 | DJAWEB
33934 | 85.173.78.99 | VOLGOGRADEC-AS Volgograd Electro Svyaz AS
36947 | 41.221.26.146 | FAWRI-AS
39458 | 195.178.106.173 | REALHOSTS-AS Real Hosts Limited
43234 | 92.12.75.217 | CPWBBSERV-AS Carphone Warehouse Broadband
Services
We think some ³creative² students that were recently banned from the
district network are responsible so any info help or info would be greatly
appreciated at this point.
*note, if your cust is a US educational institution there could be some
large legit traffic flows, but certainly not numerous syn flows.
--
Patrick Bergen
Sr. Systems Security Analyst
UEN Security Office
More information about the nsp-security
mailing list