[nsp-sec] On-going DDoS: 195.70.13.84
Nicolas FISCHBACH
nicolist at securite.org
Fri Sep 5 13:04:23 EDT 2008
Nicolas FISCHBACH wrote:
>
> A financial sector customer in GVA is getting hammered for a couple
> of days now by an attacker that keeps changing the attack type and
> seems a bit too clever.
>
> Any intelligence you may have on these two IPs is welcome (C&C and co):
>
> 195.70.13.84 (primary site)
> 64.209.134.8 ("backup" site)
Thanks to those who checked. Here are some source IPs I managed to
get (if you don't mind re-checking in your DBs):
Attack: 2008-09-03 17:29 CET (confirmed sources as "proper" HTTP GETs)
121.41.124.122 (***)
189.106.122.151
189.30.176.242
189.68.92.242
189.68.94.243
189.78.40.109
190.25.93.108
190.39.32.86 (***)
190.39.46.174
196.217.51.122
196.35.158.180 (***)
200.77.51.99
201.210.15.12 (***)
201.210.66.62
201.210.87.227
201.252.190.186
201.66.4.214
201.92.5.184
220.205.34.129
221.211.79.130
61.243.151.210
And another set from 2008-09-04 17:00 CET (could be spoofed as source
unclear)
119.36.228.61
121.33.149.33
166.143.8.160
189.30.176.242
189.68.42.122
189.71.39.73
190.137.215.33 (***)
190.25.94.96
190.78.88.65 (***)
200.103.10.249
200.232.237.244
200.243.247.173
201.210.15.12
201.66.4.214
201.8.158.139
222.136.152.17
59.61.210.67 (***)
67.87.84.134 (***)
69.129.169.179
89.165.117.111
The ones marked with (***) are the largest offenders.
I'm still hoping to get better and more recent data (like web server
logs from today) but no luck so far. Before some of you ask: the attack
is coming over another provider to parts of the infrastructure we don't
route, can't do anything with PF/TMS :( Waiting for the attacker to find
that other part of the network ;-))
Let me know if you find something :)
Thanks,
Nico.
--
Nicolas FISCHBACH
Senior Manager - Network Engineering/Security - COLT Telecom
e:(nico at securite.org) w:<http://www.securite.org/nico/>
More information about the nsp-security
mailing list