[nsp-sec] anyone see a large udp flood against viaklix ?
Rob Thomas
robt at cymru.com
Tue May 6 14:23:34 EDT 2008
Yeah, I would guess it was a web visit. What isn't clear is if it was a
test ("Is it still alive?"), which is fairly common among botnets, or if
it was legitimate traffic.
Smith, Donald wrote:
> When you say "reaching out" I assume you mean this bot downloaded
> something from 198.203.192.228. Not a DDOS a single http request. I am
> interpreting this correctly?
>
>
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac
>
>> -----Original Message-----
>> From: Rob Thomas [mailto:robt at cymru.com]
>> Sent: Tuesday, May 06, 2008 11:15 AM
>> To: Smith, Donald
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] anyone see a large udp flood against viaklix ?
>>
>> Hi, Don.
>>
>> The only nibble we saw was a bot reaching out to TCP 80 on
>> 198.203.192.228 on 2008-05-05 06:54:18 UTC:
>>
>> 77.90.4.139 6667/tcp bot ID: irc.priv8net.com
>>
>> Sorry,
>> Rob.
>>
>>
>> Smith, Donald wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> These are the ip addresses that are victims in this attack.
>>> 198.203.191.65
>>> 198.203.191.66
>>> 198.203.191.101
>>> 198.203.191.109
>>> 198.203.191.173
>>> 198.203.192.228
>>>
>>> If anyone saw this and has more information that would be helpful.
>>> The attack took place early saturday AM but it is still
>> on-going at a
>>> rate of 300k UDP pps.
>>>
>>> TIA
>>>
>>>
>>> H8Hz
>>> Donald.Smith at qwest.com giac
>>>
>>>
>>> This communication is the property of Qwest and may contain
>> confidential or
>>> privileged information. Unauthorized use of this
>> communication is strictly
>>> prohibited and may be unlawful. If you have received this
>> communication
>>> in error, please immediately notify the sender by reply
>> e-mail and destroy
>>> all copies of the communication and any attachments.
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>>> _______________________________________________
>> --
>> Rob Thomas
>> Team Cymru
>> The WHO and WHY team
>> http://www.team-cymru.org/
>>
>>
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list