[nsp-sec] DDOS to 163.6.5.36 ongoing
Smith, Donald
Donald.Smith at qwest.com
Tue Mar 25 13:56:06 EDT 2008
Patrick, most of what I am seeing is towards the .36 ip address.
I am not sure they moved the attack to follow your dns changes.
The .80 address isn't receiving many packets (19 records today) and what it is receiving mostly has the ack flag set which I consider normal:)
The .50 address had 0 records.
The .36 is receiving mostly syn and resets (18k records today).
The ingress and egress interfaces are constant per attacker so I don't believe this is a spoofed attack.
Now for the weird part:) Maybe this is some new style pulse attack but I am seeing some ips with 2-5 records in a row.
Given that we sample at 1/1k that is unusual.
During most floods I see individual ips repeated but usually NOT in a row like this.
Even a busy hid nat ip will usually have other ip addresses mixed in to the point that they only get a record or max 2 records in a row.
The source TCP ports from a single IP address do not appear increment normally indicating a potentially crafted packet.
For any given source IP address I checked the packet size was constant usually 48 but I saw some 64 byte and other sizes of packets.
RM=for(1)
{manage_risk(identify_risk(product[i++]) && (identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Patrick Bergen
> Sent: Tuesday, March 25, 2008 9:09 AM
> To: NSP-SEC
> Subject: [nsp-sec] DDOS to 163.6.5.36 ongoing
>
> ----------- nsp-security Confidential --------
>
> Starting approx 13:10 (UTC) today we started taking a tcp syn attack
> directed to 163.6.5.36.
>
> This was the host www.davis.k12.ut.us.
>
> This host is the webserver for a large school district. We
> changed all the
> dns to:
>
> host www.davis.k12.ut.us
> www.davis.k12.ut.us has address 163.6.5.80
>
> Other DNS records attached to the former address were
>
> webserv.davis.k12.ut.us
> Davis.k12.ut.us
>
> I¹m still seeing quite a few hits to the old IP, guessing
> they are spoofed.
>
> Can you all search syn flows to either 67.172.245.50 or
> 163.6.5.80 anytime
> after 13:10 today?
>
> Here is a list I scraped together of the top talkers a few mins ago.
>
>
>
> 209 | 65.124.208.238 | ASN-QWEST - Qwest
> 209 | 71.34.148.31 | ASN-QWEST - Qwest
> 209 | 75.165.237.243 | ASN-QWEST - Qwest
> 400 | 137.241.250.100 | AFCONC-BLOCK1-AS - Headquarters Standard
> Systems Center
> 400 | 137.241.250.101 | AFCONC-BLOCK1-AS - Headquarters Standard
> Systems Center
> 577 | 64.230.82.116 | BACOM - Bell Canada
> 577 | 69.156.98.66 | BACOM - Bell Canada
> 701 | 208.252.23.50 | UUNET - MCI Communications
> Services, Inc. d/b/a
> Verizon Business
> 719 | 91.153.159.128 | ELISA-AS Elisa Oyj
> 812 | 99.248.25.181 | ROGERS-CABLE - Rogers Cable
> Communications Inc.
> 852 | 205.206.90.53 | ASN852 - Telus Advanced Communications
> 852 | 209.89.83.84 | ASN852 - Telus Advanced Communications
> 855 | 142.167.108.94 | CANET-ASN-4 - Bell Aliant
> 1241 | 77.49.104.151 | FORTHNET-GR FORTHnet
> 1241 | 77.49.187.116 | FORTHNET-GR FORTHnet
> 1257 | 83.182.170.240 | TELE2
> 1668 | 172.143.101.98 | AOL-ATDN - AOL Transit Data Network
> 1668 | 172.188.135.202 | AOL-ATDN - AOL Transit Data Network
> 1680 | 85.250.73.1 | NetVision Ltd.
> 2119 | 85.165.147.33 | TELENOR-NEXTEL T.net
> 2119 | 88.88.32.125 | TELENOR-NEXTEL T.net
> 2119 | 88.88.32.197 | TELENOR-NEXTEL T.net
> 2119 | 88.89.193.247 | TELENOR-NEXTEL T.net
> 2119 | 88.90.29.101 | TELENOR-NEXTEL T.net
> 2119 | 88.90.29.85 | TELENOR-NEXTEL T.net
> 2529 | 62.56.106.215 | DEMON-INTERNET Demon Internet
> 2856 | 86.130.164.187 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.132.207.159 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.147.156.155 | BT-UK-AS BTnet UK Regional network
> 2856 | 86.150.140.57 | BT-UK-AS BTnet UK Regional network
> 2860 | 89.180.133.17 | NOVIS Novis Telecom, S.A.
> 3209 | 88.64.8.35 | Arcor IP-Network
> 3209 | 88.65.33.178 | Arcor IP-Network
> 3215 | 86.207.41.153 | AS3215 France Telecom - Orange
> 3215 | 90.0.253.147 | AS3215 France Telecom - Orange
> 3215 | 90.1.104.183 | AS3215 France Telecom - Orange
> 3215 | 90.50.215.181 | AS3215 France Telecom - Orange
> 3249 | 80.235.56.82 | ESTPAK Estonian Telephone Company Ltd.
> 3269 | 79.13.117.67 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 79.3.147.142 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 79.9.117.92 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.149.155 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.187.40 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.11.92.47 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.16.163.198 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.19.22.8 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.2.208.19 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 87.7.137.3 | ASN-IBSNAZ TELECOM ITALIA
> 3269 | 88.50.156.210 | ASN-IBSNAZ TELECOM ITALIA
> 3292 | 217.61.114.10 | TDC TDC Data Networks
> 3292 | 83.89.118.119 | TDC TDC Data Networks
> 3301 | 78.69.203.206 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 81.236.14.19 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 90.227.15.165 | TELIANET-SWEDEN TeliaNet Sweden
> 3301 | 90.230.118.21 | TELIANET-SWEDEN TeliaNet Sweden
> 3308 | 62.198.198.250 | TELIANET-DENMARK TeliaNet Denmark
> 3340 | 195.56.15.249 | DataNet Telecommunication Ltd.
> 3340 | 91.120.161.166 | DataNet Telecommunication Ltd.
> 3352 | 217.126.169.135 | TELEFONICA-DATA-ESPANA Internet
> Access Network
> of TDE
> 3462 | 59.127.202.4 | HINET Data Communication Business Group
> 4230 | 200.244.105.2 | Embratel
> 4589 | 90.192.165.152 | EASYNET Easynet Group Plc
> 4589 | 90.198.23.137 | EASYNET Easynet Group Plc
> 4713 | 60.47.207.145 | OCN NTT Communications Corporation
> 4766 | 121.164.176.27 | KIXS-AS-KR Korea Telecom
> 5089 | 80.1.145.73 | NTL NTL Group Limited
> 5089 | 81.101.25.103 | NTL NTL Group Limited
> 5089 | 81.104.192.139 | NTL NTL Group Limited
> 5089 | 81.98.229.123 | NTL NTL Group Limited
> 5089 | 82.23.221.50 | NTL NTL Group Limited
> 5089 | 82.28.231.133 | NTL NTL Group Limited
> 5089 | 82.28.245.17 | NTL NTL Group Limited
> 5089 | 86.21.76.80 | NTL NTL Group Limited
> 5089 | 86.8.63.174 | NTL NTL Group Limited
> 5391 | 78.0.117.227 | T-HT T-Com Croatia Internet network
> 5391 | 83.131.75.73 | T-HT T-Com Croatia Internet network
> 5462 | 77.98.233.224 | CABLEINET Telewest Broadband
> 5466 | 86.42.199.187 | EIRCOM Eircom
> 5515 | 80.223.207.160 | TS-FINLAND-DATANET-OLD TS Finland DataNet
> 5515 | 88.193.53.113 | TS-FINLAND-DATANET-OLD TS Finland DataNet
> 5610 | 194.228.244.146 | CZECHTELECOM CZECH TELECOM, a.s
> 5610 | 90.177.193.61 | CZECHTELECOM CZECH TELECOM, a.s
> 5690 | 209.91.186.24 | VIANET-NO - Via Computer and
> Communications
> (ViaNet)
> 5760 | 216.195.178.78 | BIDDEFORD1 - Biddeford Internet Corp
> 5769 | 24.201.13.163 | VIDEOTRON - Videotron Telecom Ltee
> 5769 | 69.51.216.103 | VIDEOTRON - Videotron Telecom Ltee
> 5769 | 74.57.46.121 | VIDEOTRON - Videotron Telecom Ltee
> 6380 | 68.209.180.11 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6385 | 74.228.142.38 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6389 | 68.153.117.98 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6407 | 207.112.118.16 | PRIMUS-AS6407 - Primus Telecommunications
> Canada Inc.
> 6621 | 67.45.141.50 | HNS-DIRECPC - Hughes Network Systems
> 6677 | 85.220.37.39 | ICENET-AS1
> *********************************
> 6785 | 85.83.55.38 | CYBERCITY Cybercity A/S
> 6799 | 79.130.173.234 | OTENET-GR OTEnet S.A.
> Multiprotocol Backbone &
> ISP
> 6799 | 87.202.188.174 | OTENET-GR OTEnet S.A.
> Multiprotocol Backbone &
> ISP
> 6799 | 87.202.234.219 | OTENET-GR OTEnet S.A.
> Multiprotocol Backbone &
> ISP
> 6830 | 77.249.9.12 | UPC UPC Broadband
> 6830 | 85.127.178.233 | UPC UPC Broadband
> 6848 | 78.20.66.34 | TELENET-AS Telenet Operaties N.V.
> 7132 | 64.219.79.205 | SBIS-AS - AT&T Internet Services
> 7132 | 68.21.244.29 | SBIS-AS - AT&T Internet Services
> 7132 | 68.92.52.150 | SBIS-AS - AT&T Internet Services
> 7132 | 69.210.135.53 | SBIS-AS - AT&T Internet Services
> 7132 | 69.233.24.125 | SBIS-AS - AT&T Internet Services
> 7132 | 75.25.190.133 | SBIS-AS - AT&T Internet Services
> 7132 | 76.194.221.180 | SBIS-AS - AT&T Internet Services
> 7132 | 76.238.155.143 | SBIS-AS - AT&T Internet Services
> 7602 | 116.118.6.34 | SPT-AS-VN Saigon Postel Corporation
> 7643 | 192.168.1.13 | VNN-AS-AP Vietnam Posts and
> Telecommunications
> (VNPT)
> 7725 | 71.199.168.149 | CCH-AS7 - Comcast Cable Communications
> Holdings, Inc
> 7725 | 98.193.235.221 | CCH-AS7 - Comcast Cable Communications
> Holdings, Inc
> 7738 | 189.13.213.51 | Telecomunicacoes da Bahia S.A.
> 7738 | 189.81.6.230 | Telecomunicacoes da Bahia S.A.
> 7949 | 65.183.191.20 | WMIS-AS - West Michigan Internet Services
> 7992 | 24.57.192.235 | COGECOWAVE - Cogeco Cable
> 8167 | 189.11.221.178 | TELESC - Telecomunicacoes de
> Santa Catarina SA
> 8341 | 84.105.241.244 | QUICKNET MultiKabel QuickNet Netherlands
> 8452 | 41.235.210.91 | TEDATA TEDATA
> 8468 | 78.32.69.118 | ENTANET ENTANET International Ltd
> 8708 | 213.157.179.194 | RDSNET RCS & RDS S.A.
> 8708 | 81.196.154.204 | RDSNET RCS & RDS S.A.
> 8708 | 86.124.60.17 | RDSNET RCS & RDS S.A.
> 8708 | 89.34.86.163 | RDSNET RCS & RDS S.A.
> 8737 | 84.81.41.157 | PT KPN Internet Solutions
> 8737 | 86.87.22.164 | PT KPN Internet Solutions
> 8737 | 86.94.50.175 | PT KPN Internet Solutions
> 9050 | 89.122.151.108 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 89.123.118.139 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 89.123.41.247 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 89.123.87.163 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 89.42.211.12 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 92.81.176.9 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9050 | 92.81.73.147 | RTD RTD-ROMTELECOM Autonomous
> System Number
> 9105 | 88.106.210.87 | TISCALI-UK Tiscali UK
> 9105 | 88.108.210.136 | TISCALI-UK Tiscali UK
> 9143 | 84.31.59.202 | ATHOME-BENELUX-BV AtHome Benelux
> BV provides
> broadband ISP services
> 9299 | 122.55.198.44 | IPG-AS-AP Philippine Long
> Distance Telephone
> Company
> 9498 | 122.163.165.243 | BBIL-AP BHARTI BT INTERNET LTD.
> 9498 | 122.167.91.123 | BBIL-AP BHARTI BT INTERNET LTD.
> 9829 | 117.199.96.181 | BSNL-NIB National Internet Backbone
> 9829 | 117.199.97.183 | BSNL-NIB National Internet Backbone
> 9829 | 218.248.68.63 | BSNL-NIB National Internet Backbone
> 9919 | 220.229.85.216 | NCIC-TW New Century InfoComm
> Tech Co., Ltd.
> 10139 | 125.60.240.197 | SMARTBRO-PH-AP Smart Broadband, Inc.
> 10620 | 200.118.182.19 | TV Cable S.A.
> 10796 | 76.181.116.110 | SCRR-10796 - Road Runner HoldCo LLC
> 10994 | 65.34.12.110 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
> 10994 | 72.178.243.141 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
> 11052 | 159.212.71.200 | IHC-NET - Intermountain Health Care
> 11052 | 159.212.71.25 | IHC-NET - Intermountain Health Care
> 11351 | 74.78.154.26 | RR-NYSREGION-ASN-01 - Road
> Runner HoldCo LLC
> 11426 | 75.181.167.201 | SCRR-11426 - Road Runner HoldCo LLC
> 11530 | 71.1.163.159 | EMBARQ-MNFD - Embarq Corporation
> 11550 | 66.244.123.104 | SDL-20-AS - Smithville Digital, LLC
> 12322 | 82.232.241.134 | PROXAD AS for Proxad/Free ISP
> 12322 | 82.238.115.126 | PROXAD AS for Proxad/Free ISP
> 12322 | 88.167.137.229 | PROXAD AS for Proxad/Free ISP
> 12479 | 85.58.75.176 | UNI2-AS Uni2 Autonomous System
> 12513 | 82.153.63.185 | ECLIPSE Eclipse Internet
> 12715 | 87.220.52.21 | JAZZNET Jazz Telecom S.A.
> 12715 | 87.220.53.27 | JAZZNET Jazz Telecom S.A.
> 12876 | 83.156.24.177 | AS12876 Telecom Italia France
> 13046 | 89.164.157.27 | ASN-ISKON ISKON
> 13127 | 87.211.105.246 | VERSATEL AS for the
> Trans-European Versatel IP
> Transport backbone
> 13127 | 87.212.140.163 | VERSATEL AS for the
> Trans-European Versatel IP
> Transport backbone
> 13184 | 92.224.2.233 | HANSENET HanseNet Telekommunikation GmbH
> 13280 | 62.40.57.125 | O2 Ireland
> 13280 | 89.204.196.222 | O2 Ireland
> 14382 | 208.80.72.10 | ESC13 - Education Service Center
> 14464 | 158.123.200.2 | RINET - Rhode Island Network for Educ.
> Technology
> 15670 | 62.177.151.242 | BBNED-AS
> 15962 | 213.151.212.218 | ORANGE SLOVENSKO Autonomous system
> 17488 | 125.99.108.130 | HATHWAY-NET-AP Hathway IP Over
> Cable Internet
> 17488 | 60.243.172.105 | HATHWAY-NET-AP Hathway IP Over
> Cable Internet
> 18002 | 202.89.74.243 | WORLDPHONE-IN AS Number for
> Interdomain Routing
> 19262 | 71.249.7.30 | VZGNI-TRANSIT - Verizon Internet
> Services Inc.
> 20057 | 32.142.12.101 | AT&T Wireless Service
> 20115 | 75.134.107.108 | CHARTER-NET-HKY-NC - Charter
> Communications
> 20214 | 71.203.155.16 | CCCH-AS6 - Comcast Cable Communications
> Holdings, Inc
> 20804 | 81.15.165.8 | ASN-TELENERGO EXATEL S.A.
> Autonomous System
> 22047 | 201.215.162.226 | VTR BANDA ANCHA S.A.
> 22291 | 68.186.63.195 | CHARTER-LA - Charter Communications
> 22442 | 205.196.190.199 | HOU-PHONOSCOPE - PHONOSCOPE
> 22615 | 66.244.123.104 | MONROECOUNTYCOMMSCH - Monroe
> County Community
> School Corporation
> 22773 | 70.180.42.208 | CCINET-2 - Cox Communications Inc.
> 23674 | 58.65.160.188 | MBL-AS-AP Micronet Broadband (Pvt) Ltd.
> 23700 | 118.137.18.176 | BM-AS-ID PT. Broadband Multimedia, Tbk
> 24863 | 196.205.130.8 | LINKdotNET-AS
> 24863 | 41.196.227.201 | LINKdotNET-AS
> 24971 | 81.31.45.131 | MASTER-AS Master Internet s.r.o / Czech
> Republic / www.master.cz
> 25002 | 81.88.239.131 | AEMCOM-AS AEMCOM Srl
> multicommunication company
> 25036 | 81.90.175.201 | TERMSNET-AS TERMSnet Autonomous System
> 25472 | 91.140.76.151 | EVERGY-AS Evergy S.A.,
> 27364 | 24.154.168.179 | ACS-INTERNET - Armstrong Cable Services
> 28573 | 189.4.205.248 | NET Servicos de Comunicao S.A.
> 30799 | 91.146.236.30 | AIRBITES-AS Air Bites Polska
> 31661 | 87.72.68.178 | COMX ComX Networks A/S
> 33651 | 76.20.77.225 | DNEO-OSP7 - Comcast Cable
> Communications, Inc.
> 33660 | 98.202.113.47 | DNEO-OSP7 - Comcast Cable
> Communications, Inc.
> 33774 | 41.201.235.139 | DJAWEB
> 33774 | 41.201.244.147 | DJAWEB
> 33934 | 85.173.78.99 | VOLGOGRADEC-AS Volgograd Electro Svyaz AS
> 36947 | 41.221.26.146 | FAWRI-AS
> 39458 | 195.178.106.173 | REALHOSTS-AS Real Hosts Limited
> 43234 | 92.12.75.217 | CPWBBSERV-AS Carphone Warehouse Broadband
> Services
>
>
> We think some ³creative² students that were recently banned from the
> district network are responsible so any info help or info
> would be greatly
> appreciated at this point.
>
> *note, if your cust is a US educational institution there
> could be some
> large legit traffic flows, but certainly not numerous syn flows.
>
> --
> Patrick Bergen
> Sr. Systems Security Analyst
> UEN Security Office
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list