[nsp-sec] DDoS Attack

[Smith, Donald]

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Nicholas Ianelli
> Sent: Monday, September 08, 2008 11:39 AM
> To: NSP nsp-security
> Subject: [nsp-sec] DDoS Attack
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Our friend Toni is still experiencing a DDoS attack against the
> following two IPs:
> 
> 217.30.178.1
> 194.109.206.106
> 
> This primary method of this particular attack is a TCP SYN 
> flood towards
> port 7000.
> 
> The main IPs in question are (timestamps are 2008.09.09 ~13:00 utc+2):
Did you mean 2008.09.08 ?
Today is the 8th of Sept;)

> 
> 33652   | 24.9.60.153      | DNEO-OSP7 - Comcast Cable Communications
> 33491   | 98.212.137.142   | DNEO-OSP7 - Comcast Cable Communications
> 33287   | 74.92.83.25      | DNEO-OSP4 - Comcast Cable Communications
> 11427   | 76.187.81.99     | SCRR-11427 - Road Runner HoldCo LLC
> 12271   | 68.175.76.196    | SCRR-12271 - Road Runner HoldCo LLC
> 209     | 97.119.197.219   | ASN-QWEST - Qwest
I looked and this ip is just doing web surfing.
No attack traffic that I could see.
This may imply that the src ips are spoofed.


> 3356    | 65.77.78.25      | LEVEL3 Level 3 Communications
> 36423   | 70.45.118.68     | SAN-JUAN-CABLE - San Juan Cable, LLC
> 11992   | 64.213.120.105   | CENTENNIAL-PR - Centennial de Puerto Rico
> 6621    | 67.143.14.242    | HNS-DIRECPC - Hughes Network Systems
> 11367   | 204.119.21.208   | ICENET - ICE Networks
> 14638   | 69.79.90.91      | LCPR-HSD - Liberty Cablevision of Puerto
> Rico LTD
> 
> Any help in cleaning up the infected hosts and locating the 
> C&C would be
> very much appreciated.
> 
> Thanks!
> Nick
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> 
> iEYEARECAAYFAkjFY08ACgkQi10dJIBjZIBE+wCg3l+SWxiYXHh9kJuFsItYMS7i
> pKoAn19gTykQp/diG2/T8ihB5QbslZTI
> =LX0+
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.