[nsp-sec] ACK Botnet dump.

Par Osterberg Medina par.osterberg at sitic.se
Mon Sep 1 03:50:36 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Proxy-ACK for ASN: 1257, 3257, 3292, 3301, 8473, 28847, 29518, 33885 and
39651

./Pär

Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Hi all,
> 
> Yesterday Toni Koivunen (now of F-Secure, previously of Ficora/CERT-FI)
> was doing some research into the najd.us botnet which he was able to
> take over when the baddies decided to throw a lot of packets at his
> botpot.  He found me online and asked if I could take some of the heat
> off and I happily said "sure!"...
> 
> During the next few hours the miscreants threw about a hundred thousand
> packets per second at up to around 35Mbps towards my botpot, which was
> easily dealt with.  We were able to grab a lot of bots connecting to the
> botnet, just under 14000 unique IPs over 1189 ASNs.  The top five are:
> 
>   #bots ASN
>     443 3462
>     475 9908
>     601 5617
>     950 10091
>    1352 9506
> 
> The entire list of infected systems with timestamp in UTC format of
> connections can be found at:
> 
> https://asn.cymru.com/nsp-sec/upload/1220017098.whois.txt
> 
> I don't think puck  will let me attach an image to this email, but I'll
> try anyway.  It's what the botpot looked like on my end and watching the
> miscreants do their best to take it off line, then fail, and give up and
> life goes on...
> 
> If puck fails on this and someone wants the pic, lemme know.
> 
> Anyway, it was great working with Toni (F-Secure is a member of FIRST,
> so he's hanging around that community regularly) again.  My offer to
> help  him of course goes out to the rest of NSP-SEC; if you're looking
> to take a bit of the heat off from a botpot of your own and I can
> assist, I'm happy to do so!
> 
> Good luck with the clean up,
> Scott A. McIntyre
> XS4ALL Internet B.V.
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIu57MpIEfudwUi78RArefAKDRHgBjJc/071lJj4Mug8/GNgEdBQCfZIjA
t0RtrLIm/w6kHVCuHmvJiZU=
=mSHM
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list