[nsp-sec] DDOS to 163.6.5.36 ongoing
White, Gerard
Gerard.White at aliant.ca
Tue Mar 25 12:39:57 EDT 2008
Greetings.
<Gentle reminder about NSP-SEC disclosure rules>
I think that this IRCd based Botnet is the source of your troubles:
(apologies for the explicative terms)
There appears to be no DNS RR associated with the TCP/6667 C&C:
AS | IP | AS Name
25761 | 72.20.17.129 | STAMINUS-COMM - Staminus Communications
PASS 69playbytherules420
Welcome to the devilcorp-hosting IRC Network
Your host is irc.devil2005, running version Unreal3.2.6
This server was created Sun Mar 9 2008 at 18:26:37 PDT
JOIN #googlemyballs808 googlemydickhole808
ACK for our single contributor listed below...
GW
855 - Bell Aliant
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Patrick Bergen
> Sent: Tuesday, March 25, 2008 12:39 PM
> To: NSP-SEC
> Subject: [nsp-sec] DDOS to 163.6.5.36 ongoing
>
> ----------- nsp-security Confidential --------
>
> Starting approx 13:10 (UTC) today we started taking a tcp syn attack
> directed to 163.6.5.36.
>
> This was the host www.davis.k12.ut.us.
>
> This host is the webserver for a large school district. We changed all the
> dns to:
>
> host www.davis.k12.ut.us
> www.davis.k12.ut.us has address 163.6.5.80
>
> Other DNS records attached to the former address were
>
> webserv.davis.k12.ut.us
> Davis.k12.ut.us
>
> I¹m still seeing quite a few hits to the old IP, guessing they are spoofed.
>
> Can you all search syn flows to either 67.172.245.50 or 163.6.5.80 anytime
> after 13:10 today?
>
> Here is a list I scraped together of the top talkers a few mins ago.
>
>
>
> 855 | 142.167.108.94 | CANET-ASN-4 - Bell Aliant
>
>
> We think some ³creative² students that were recently banned from the
> district network are responsible so any info help or info would be greatly
> appreciated at this point.
>
> *note, if your cust is a US educational institution there could be some
> large legit traffic flows, but certainly not numerous syn flows.
>
> --
> Patrick Bergen
> Sr. Systems Security Analyst
> UEN Security Office
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list