[nsp-sec] DDoS Attack
Scott A. McIntyre
scott at xs4all.net
Tue Sep 9 00:05:41 EDT 2008
Hi all,
> Our friend Toni is still experiencing a DDoS attack against the
> following two IPs:
>
> 217.30.178.1
> 194.109.206.106
>
This is the same "project" Toni and I have been working on for the
last few weeks. The attack is extremely small (by the standards most
of us are used to...but catastrophic for a DSL line ;-) but I know
he's keen to find the true source of the co-ordination of packet love
and have it taken out.
> This primary method of this particular attack is a TCP SYN flood
> towards
> port 7000.
>
Eh, no, actually not. The attack is a SYN flood against:
3921
80
6667
7000
All in equal amounts. Just like last time. The traffic is
*definitely spoofed* without any doubt for a significant percentage.
The high point was 50Mbit/s @ 120Kpps yesterday. It currently is
going on at about 20Mbit @ 50Kpps.
The attack follows DNS, as the domain shifts between Toni and I, the
attack follows it with about a 15 to 30 minute lag. Please do not
filter the destination IPs, but if you do happen to see the SYNs in
equal amounts to all those ports to those IPs it would probably be
good to track down the sources.
Thanks people!
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list