[nsp-sec] DOS towards 212.181.112.29
Patrick Bergen
pbergen at uen.org
Thu Mar 27 19:54:20 EDT 2008
Might want to check for flows to 212.181.112.29
212-181-112-29.customer.telia.com
AS | IP | AS Name
3301 | 212.181.112.29 | TELIANET-SWEDEN TeliaNet Sweden
I just nabbed a host from one of our universities (161.28.161.100) sending
300 kpps of UDP packet love in their direction.
Started as src port 64046 to random udp dst port, then right before I shut
him down it changed to udp dst 113.
Looking at what triggered the dos, I see 161.28.161.100 get ssh brute
forced over the night by 60.10.148.57
4837 | 60.10.148.57 | CHINA169-BACKBONE CNCGROUP China169 Backbone
Then about 12 hours later 79.112.85.53 connects via ssh.. Few mins later ..
Bam
AS | IP | AS Name
8708 | 79.112.85.53 | RDSNET RCS & RDS S.A.
I can still see 79.112.85.53 trying to connect to 161.28.161.100... But it
is black holed
Anyway.. Just a heads up in case this was involving more than my one host.
--
Patrick Bergen
Sr. Systems Security Analyst
UEN Security Office
More information about the nsp-security
mailing list