[nsp-sec] spamhaus ddos attack commands
Smith, Donald
Donald.Smith at qwest.com
Wed May 28 13:32:34 EDT 2008
I am seeing 1500 byte icmp echo requests and 1104 byte echo responses
which I believe is part of this attack that is coming from a single
source ip.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Shelton, Steve
> Sent: Wednesday, May 28, 2008 8:54 AM
> To: Jose Nazario; nsp-security NSP
> Subject: Re: [nsp-sec] spamhaus ddos attack commands
>
> ----------- nsp-security Confidential --------
>
> Jose,
>
> The /32 has been sunk on 174 and I'll keep my ears open to
> see if there
> is anything else we can do here.
>
> Steve Shelton
> Network Security Engineer
> Cogent Communications
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Jose Nazario
> Sent: Wednesday, May 28, 2008 10:10 AM
> To: nsp-security NSP
> Subject: [nsp-sec] spamhaus ddos attack commands
>
> ----------- nsp-security Confidential --------
>
> folks
>
> spamhaus is under ddos attack from a black energy botnet.
> here are some
> details:
>
> Start Timestamp 2008-05-28 08:07:40
> Latest Timestamp 2008-05-28 09:07:57
> C&C IP 200.63.46.62
> C&C Hostname vse.ohueli.net
> C&C Hostname prosto.pizdos.net
> C&C Port 80
> C&C ASN 15083
> C&C CC AR
> Command URL http://vse.ohueli.net/_vse_/stat.php
> Command Given
> 10;2000;5;1;0;30;100;3;10;2000;2000#flood http www.spamhaus.org#10#
>
> Target IP 64.124.52.228
> Target Hostname www.spamhaus.org
> Target ASN 6461
> Target CC US
>
> all times in US Eastern.
>
> i don't know how big this network is or how serious the effects are.
> i've
> notified the spamhaus guys and am now reaching out to you to
> see if you
> can help detect and shut this one down.
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security
> counter-measures.
> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list