[nsp-sec] DDOS to 163.6.5.36 ongoing
Tino Steward
tsteward at us.ntt.net
Tue Mar 25 11:56:01 EDT 2008
Ack'd 2914
On Tue, Mar 25, 2008 at 09:09:26AM -0600, Patrick Bergen wrote:
> ----------- nsp-security Confidential --------
>
> Starting approx 13:10 (UTC) today we started taking a tcp syn attack
> directed to 163.6.5.36.
>
> This was the host www.davis.k12.ut.us.
>
> This host is the webserver for a large school district. We changed all the
> dns to:
>
> host www.davis.k12.ut.us
> www.davis.k12.ut.us has address 163.6.5.80
>
> Other DNS records attached to the former address were
>
> webserv.davis.k12.ut.us
> Davis.k12.ut.us
>
> I¹m still seeing quite a few hits to the old IP, guessing they are spoofed.
>
> Can you all search syn flows to either 67.172.245.50 or 163.6.5.80 anytime
> after 13:10 today?
>
> Here is a list I scraped together of the top talkers a few mins ago.
>
>
>
> 209 | 65.124.208.238 | ASN-QWEST - Qwest
> 209 | 71.34.148.31 | ASN-QWEST - Qwest
> 209 | 75.165.237.243 | ASN-QWEST - Qwest
> 400 | 137.241.250.100 | AFCONC-BLOCK1-AS - Headquarters Standard
> Systems Center
> 400 | 137.241.250.101 | AFCONC-BLOCK1-AS - Headquarters Standard
> Systems Center
> 577 | 64.230.82.116 | BACOM - Bell Canada
> 577 | 69.156.98.66 | BACOM - Bell Canada
> 701 | 208.252.23.50 | UUNET - MCI Communications Services, Inc. d/b/a
> Verizon Business
> 719 | 91.153.159.128 | ELISA-AS Elisa Oyj
> 812 | 99.248.25.181 | ROGERS-CABLE - Rogers Cable Communications Inc.
> 852 | 205.206.90.53 | ASN852 - Telus Advanced Communications
> 852 | 209.89.83.84 | ASN852 - Telus Advanced Communications
> 855 | 142.167.108.94 | CANET-ASN-4 - Bell Aliant
> 1241 | 77.49.104.151 | FORTHNET-GR FORTHnet
> 1241 | 77.49.187.116 | FORTHNET-GR FORTHnet
> 1257 | 83.182.170.240 | TELE2
> 1668 | 172.143.101.98 | AOL-ATDN - AOL Transit Data Network
> 1668 | 172.188.135.202 | AOL-ATDN - AOL Transit Data Network
> 1680 | 85.250.73.1 | NetVision Ltd.
> 2119 | 85.165.147.33 | TELENOR-NEXTEL T.net
> 2119 | 88.88.32.125 | TELENOR-NEXTEL T.net
> 2119 | 88.88.32.197 | TELENOR-NEXTEL T.net
> 2119 | 88.89.193.247 | TELENOR-NEXTEL T.net
> 2119 | 88.90.29.101 | TELENOR-NEXTEL T.net
> 2119 | 88.90.29.85 | TELENOR-NEXTEL T.net
> 2529 | 62.56.106.215 | DEMON-INTERNET Demon Internet
> 2856 | 86.130.164.187 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.132.207.159 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.147.156.155 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.150.140.57 | BT-UK-AS BTnet UK Regional network
> 2860 | 89.180.133.17 | NOVIS Novis Telecom, S.A.
> 3209 | 88.64.8.35 | Arcor IP-Network
> 3209 | 88.65.33.178 | Arcor IP-Network
> 3215 | 86.207.41.153 | AS3215 France Telecom - Orange
> 3215 | 90.0.253.147 | AS3215 France Telecom - Orange
> 3215 | 90.1.104.183 | AS3215 France Telecom - Orange
> 3215 | 90.50.215.181 | AS3215 France Telecom - Orange
> 3249 | 80.235.56.82 | ESTPAK Estonian Telephone Company Ltd.
> 3269 | 79.13.117.67 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 79.3.147.142 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 79.9.117.92 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.149.155 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.187.40 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.92.47 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.16.163.198 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.19.22.8 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.2.208.19 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.7.137.3 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 88.50.156.210 | ASN-IBSNAZ TELECOM ITALIA
> 3292 | 217.61.114.10 | TDC TDC Data Networks
> 3292 | 83.89.118.119 | TDC TDC Data Networks
> 3301 | 78.69.203.206 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 81.236.14.19 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 90.227.15.165 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 90.230.118.21 | TELIANET-SWEDEN TeliaNet Sweden
> 3308 | 62.198.198.250 | TELIANET-DENMARK TeliaNet Denmark
> 3340 | 195.56.15.249 | DataNet Telecommunication Ltd.
> 3340 | 91.120.161.166 | DataNet Telecommunication Ltd.
> 3352 | 217.126.169.135 | TELEFONICA-DATA-ESPANA Internet Access Network
> of TDE
> 3462 | 59.127.202.4 | HINET Data Communication Business Group
> 4230 | 200.244.105.2 | Embratel
> 4589 | 90.192.165.152 | EASYNET Easynet Group Plc
> 4589 | 90.198.23.137 | EASYNET Easynet Group Plc
> 4713 | 60.47.207.145 | OCN NTT Communications Corporation
> 4766 | 121.164.176.27 | KIXS-AS-KR Korea Telecom
> 5089 | 80.1.145.73 | NTL NTL Group Limited
> 5089 | 81.101.25.103 | NTL NTL Group Limited
> 5089 | 81.104.192.139 | NTL NTL Group Limited
> 5089 | 81.98.229.123 | NTL NTL Group Limited
> 5089 | 82.23.221.50 | NTL NTL Group Limited
> 5089 | 82.28.231.133 | NTL NTL Group Limited
> 5089 | 82.28.245.17 | NTL NTL Group Limited
> 5089 | 86.21.76.80 | NTL NTL Group Limited
> 5089 | 86.8.63.174 | NTL NTL Group Limited
> 5391 | 78.0.117.227 | T-HT T-Com Croatia Internet network
> 5391 | 83.131.75.73 | T-HT T-Com Croatia Internet network
> 5462 | 77.98.233.224 | CABLEINET Telewest Broadband
> 5466 | 86.42.199.187 | EIRCOM Eircom
> 5515 | 80.223.207.160 | TS-FINLAND-DATANET-OLD TS Finland DataNet
> 5515 | 88.193.53.113 | TS-FINLAND-DATANET-OLD TS Finland DataNet
> 5610 | 194.228.244.146 | CZECHTELECOM CZECH TELECOM, a.s
> 5610 | 90.177.193.61 | CZECHTELECOM CZECH TELECOM, a.s
> 5690 | 209.91.186.24 | VIANET-NO - Via Computer and Communications
> (ViaNet)
> 5760 | 216.195.178.78 | BIDDEFORD1 - Biddeford Internet Corp
> 5769 | 24.201.13.163 | VIDEOTRON - Videotron Telecom Ltee
> 5769 | 69.51.216.103 | VIDEOTRON - Videotron Telecom Ltee
> 5769 | 74.57.46.121 | VIDEOTRON - Videotron Telecom Ltee
> 6380 | 68.209.180.11 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6385 | 74.228.142.38 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6389 | 68.153.117.98 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6407 | 207.112.118.16 | PRIMUS-AS6407 - Primus Telecommunications
> Canada Inc.
> 6621 | 67.45.141.50 | HNS-DIRECPC - Hughes Network Systems
> 6677 | 85.220.37.39 | ICENET-AS1 *********************************
> 6785 | 85.83.55.38 | CYBERCITY Cybercity A/S
> 6799 | 79.130.173.234 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
> ISP
> 6799 | 87.202.188.174 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
> ISP
> 6799 | 87.202.234.219 | OTENET-GR OTEnet S.A. Multiprotocol Backbone &
> ISP
> 6830 | 77.249.9.12 | UPC UPC Broadband
> 6830 | 85.127.178.233 | UPC UPC Broadband
> 6848 | 78.20.66.34 | TELENET-AS Telenet Operaties N.V.
> 7132 | 64.219.79.205 | SBIS-AS - AT&T Internet Services
> 7132 | 68.21.244.29 | SBIS-AS - AT&T Internet Services
> 7132 | 68.92.52.150 | SBIS-AS - AT&T Internet Services
> 7132 | 69.210.135.53 | SBIS-AS - AT&T Internet Services
> 7132 | 69.233.24.125 | SBIS-AS - AT&T Internet Services
> 7132 | 75.25.190.133 | SBIS-AS - AT&T Internet Services
> 7132 | 76.194.221.180 | SBIS-AS - AT&T Internet Services
> 7132 | 76.238.155.143 | SBIS-AS - AT&T Internet Services
> 7602 | 116.118.6.34 | SPT-AS-VN Saigon Postel Corporation
> 7643 | 192.168.1.13 | VNN-AS-AP Vietnam Posts and Telecommunications
> (VNPT)
> 7725 | 71.199.168.149 | CCH-AS7 - Comcast Cable Communications
> Holdings, Inc
> 7725 | 98.193.235.221 | CCH-AS7 - Comcast Cable Communications
> Holdings, Inc
> 7738 | 189.13.213.51 | Telecomunicacoes da Bahia S.A.
> 7738 | 189.81.6.230 | Telecomunicacoes da Bahia S.A.
> 7949 | 65.183.191.20 | WMIS-AS - West Michigan Internet Services
> 7992 | 24.57.192.235 | COGECOWAVE - Cogeco Cable
> 8167 | 189.11.221.178 | TELESC - Telecomunicacoes de Santa Catarina SA
> 8341 | 84.105.241.244 | QUICKNET MultiKabel QuickNet Netherlands
> 8452 | 41.235.210.91 | TEDATA TEDATA
> 8468 | 78.32.69.118 | ENTANET ENTANET International Ltd
> 8708 | 213.157.179.194 | RDSNET RCS & RDS S.A.
> 8708 | 81.196.154.204 | RDSNET RCS & RDS S.A.
> 8708 | 86.124.60.17 | RDSNET RCS & RDS S.A.
> 8708 | 89.34.86.163 | RDSNET RCS & RDS S.A.
> 8737 | 84.81.41.157 | PT KPN Internet Solutions
> 8737 | 86.87.22.164 | PT KPN Internet Solutions
> 8737 | 86.94.50.175 | PT KPN Internet Solutions
> 9050 | 89.122.151.108 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 89.123.118.139 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 89.123.41.247 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 89.123.87.163 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 89.42.211.12 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 92.81.176.9 | RTD RTD-ROMTELECOM Autonomous System Number
> 9050 | 92.81.73.147 | RTD RTD-ROMTELECOM Autonomous System Number
> 9105 | 88.106.210.87 | TISCALI-UK Tiscali UK
> 9105 | 88.108.210.136 | TISCALI-UK Tiscali UK
> 9143 | 84.31.59.202 | ATHOME-BENELUX-BV AtHome Benelux BV provides
> broadband ISP services
> 9299 | 122.55.198.44 | IPG-AS-AP Philippine Long Distance Telephone
> Company
> 9498 | 122.163.165.243 | BBIL-AP BHARTI BT INTERNET LTD.
> 9498 | 122.167.91.123 | BBIL-AP BHARTI BT INTERNET LTD.
> 9829 | 117.199.96.181 | BSNL-NIB National Internet Backbone
> 9829 | 117.199.97.183 | BSNL-NIB National Internet Backbone
> 9829 | 218.248.68.63 | BSNL-NIB National Internet Backbone
> 9919 | 220.229.85.216 | NCIC-TW New Century InfoComm Tech Co., Ltd.
> 10139 | 125.60.240.197 | SMARTBRO-PH-AP Smart Broadband, Inc.
> 10620 | 200.118.182.19 | TV Cable S.A.
> 10796 | 76.181.116.110 | SCRR-10796 - Road Runner HoldCo LLC
> 10994 | 65.34.12.110 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
> 10994 | 72.178.243.141 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
> 11052 | 159.212.71.200 | IHC-NET - Intermountain Health Care
> 11052 | 159.212.71.25 | IHC-NET - Intermountain Health Care
> 11351 | 74.78.154.26 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 11426 | 75.181.167.201 | SCRR-11426 - Road Runner HoldCo LLC
> 11530 | 71.1.163.159 | EMBARQ-MNFD - Embarq Corporation
> 11550 | 66.244.123.104 | SDL-20-AS - Smithville Digital, LLC
> 12322 | 82.232.241.134 | PROXAD AS for Proxad/Free ISP
> 12322 | 82.238.115.126 | PROXAD AS for Proxad/Free ISP
> 12322 | 88.167.137.229 | PROXAD AS for Proxad/Free ISP
> 12479 | 85.58.75.176 | UNI2-AS Uni2 Autonomous System
> 12513 | 82.153.63.185 | ECLIPSE Eclipse Internet
> 12715 | 87.220.52.21 | JAZZNET Jazz Telecom S.A.
> 12715 | 87.220.53.27 | JAZZNET Jazz Telecom S.A.
> 12876 | 83.156.24.177 | AS12876 Telecom Italia France
> 13046 | 89.164.157.27 | ASN-ISKON ISKON
> 13127 | 87.211.105.246 | VERSATEL AS for the Trans-European Versatel IP
> Transport backbone
> 13127 | 87.212.140.163 | VERSATEL AS for the Trans-European Versatel IP
> Transport backbone
> 13184 | 92.224.2.233 | HANSENET HanseNet Telekommunikation GmbH
> 13280 | 62.40.57.125 | O2 Ireland
> 13280 | 89.204.196.222 | O2 Ireland
> 14382 | 208.80.72.10 | ESC13 - Education Service Center
> 14464 | 158.123.200.2 | RINET - Rhode Island Network for Educ.
> Technology
> 15670 | 62.177.151.242 | BBNED-AS
> 15962 | 213.151.212.218 | ORANGE SLOVENSKO Autonomous system
> 17488 | 125.99.108.130 | HATHWAY-NET-AP Hathway IP Over Cable Internet
> 17488 | 60.243.172.105 | HATHWAY-NET-AP Hathway IP Over Cable Internet
> 18002 | 202.89.74.243 | WORLDPHONE-IN AS Number for Interdomain Routing
> 19262 | 71.249.7.30 | VZGNI-TRANSIT - Verizon Internet Services Inc.
> 20057 | 32.142.12.101 | AT&T Wireless Service
> 20115 | 75.134.107.108 | CHARTER-NET-HKY-NC - Charter Communications
> 20214 | 71.203.155.16 | CCCH-AS6 - Comcast Cable Communications
> Holdings, Inc
> 20804 | 81.15.165.8 | ASN-TELENERGO EXATEL S.A. Autonomous System
> 22047 | 201.215.162.226 | VTR BANDA ANCHA S.A.
> 22291 | 68.186.63.195 | CHARTER-LA - Charter Communications
> 22442 | 205.196.190.199 | HOU-PHONOSCOPE - PHONOSCOPE
> 22615 | 66.244.123.104 | MONROECOUNTYCOMMSCH - Monroe County Community
> School Corporation
> 22773 | 70.180.42.208 | CCINET-2 - Cox Communications Inc.
> 23674 | 58.65.160.188 | MBL-AS-AP Micronet Broadband (Pvt) Ltd.
> 23700 | 118.137.18.176 | BM-AS-ID PT. Broadband Multimedia, Tbk
> 24863 | 196.205.130.8 | LINKdotNET-AS
> 24863 | 41.196.227.201 | LINKdotNET-AS
> 24971 | 81.31.45.131 | MASTER-AS Master Internet s.r.o / Czech
> Republic / www.master.cz
> 25002 | 81.88.239.131 | AEMCOM-AS AEMCOM Srl multicommunication company
> 25036 | 81.90.175.201 | TERMSNET-AS TERMSnet Autonomous System
> 25472 | 91.140.76.151 | EVERGY-AS Evergy S.A.,
> 27364 | 24.154.168.179 | ACS-INTERNET - Armstrong Cable Services
> 28573 | 189.4.205.248 | NET Servicos de Comunicao S.A.
> 30799 | 91.146.236.30 | AIRBITES-AS Air Bites Polska
> 31661 | 87.72.68.178 | COMX ComX Networks A/S
> 33651 | 76.20.77.225 | DNEO-OSP7 - Comcast Cable Communications, Inc.
> 33660 | 98.202.113.47 | DNEO-OSP7 - Comcast Cable Communications, Inc.
> 33774 | 41.201.235.139 | DJAWEB
> 33774 | 41.201.244.147 | DJAWEB
> 33934 | 85.173.78.99 | VOLGOGRADEC-AS Volgograd Electro Svyaz AS
> 36947 | 41.221.26.146 | FAWRI-AS
> 39458 | 195.178.106.173 | REALHOSTS-AS Real Hosts Limited
> 43234 | 92.12.75.217 | CPWBBSERV-AS Carphone Warehouse Broadband
> Services
>
>
> We think some ³creative² students that were recently banned from the
> district network are responsible so any info help or info would be greatly
> appreciated at this point.
>
> *note, if your cust is a US educational institution there could be some
> large legit traffic flows, but certainly not numerous syn flows.
>
> --
> Patrick Bergen
> Sr. Systems Security Analyst
> UEN Security Office
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Tino T. Steward SNA1 - Security & Abuse tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center
214-853-7344 (Ph.) 214.800.7771 (Fax)
AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html
AUP online: http://www.ntt.net/library/pdf/AUP.pdf
Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.
Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Latest viruses: http://www.cert.org
Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
More information about the nsp-security
mailing list