[nsp-sec] DDoS Attack
Maurizio Molina
maurizio.molina at dante.org.uk
Wed Sep 10 13:51:11 EDT 2008
Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
>
> Hi all,
>
>
>> Our friend Toni is still experiencing a DDoS attack against the
>> following two IPs:
>>
>> 217.30.178.1
>> 194.109.206.106
>>
>
> This is the same "project" Toni and I have been working on for the last
> few weeks. The attack is extremely small (by the standards most of us
> are used to...but catastrophic for a DSL line ;-) but I know he's keen
> to find the true source of the co-ordination of packet love and have it
> taken out.
>
>> This primary method of this particular attack is a TCP SYN flood towards
>> port 7000.
>>
>
> Eh, no, actually not. The attack is a SYN flood against:
>
> 3921
> 80
> 6667
> 7000
>
> All in equal amounts. Just like last time. The traffic is *definitely
> spoofed* without any doubt for a significant percentage. The high point
> was 50Mbit/s @ 120Kpps yesterday. It currently is going on at about
> 20Mbit @ 50Kpps.
>
> The attack follows DNS, as the domain shifts between Toni and I, the
> attack follows it with about a 15 to 30 minute lag. Please do not
> filter the destination IPs, but if you do happen to see the SYNs in
> equal amounts to all those ports to those IPs it would probably be good
> to track down the sources.
Hi Scott,
I can see some of this traffic transiting GEANT2 network (AS 20965).
Not that much: 178 sampled packets in 24h => 178*1000/86400 since we use
1/1000 sampling, => 2 pkt/s
Here are the detailed flow records (I aggregated the records on the
source ports, so src ports are actually *not* zero...). Flags are
relative to the aggregations as well. You can recognise the dominance of
the ports you mention, and of Syn flags.
Question: since you say you're sure sources are spoofed, what do you
mean by "tracking them down"? My be understanding entry points in the
GEANT2 network?
2008-09-09 17:34:19.708 524.185 TCP 147.102.223.215:0 ->
194.109.206.106:3921 ....S. 0 22 1056 0 16
48 22
2008-09-09 17:34:26.813 513.057 TCP 147.102.223.215:0 ->
194.109.206.106:6667 ....S. 0 21 1008 0 15
48 21
2008-09-09 17:33:57.746 568.747 TCP 147.102.223.215:0 ->
194.109.206.106:80 ....S. 0 21 1008 0 14
48 21
2008-09-09 17:39:02.582 2674.037 TCP 194.210.68.80:0 ->
194.109.206.106:80 ....S. 0 19 988 0 2
52 19
2008-09-09 17:34:04.186 494.833 TCP 147.102.223.215:0 ->
194.109.206.106:7000 ....S. 0 16 768 0 12
48 16
2008-09-10 08:41:26.646 22664.839 TCP 193.231.40.18:0 ->
194.109.206.106:7000 .AP.SF 0 15 684 0 0
45 15
2008-09-09 17:37:19.179 4467.769 TCP 194.210.68.80:0 ->
194.109.206.106:6667 ....S. 0 7 364 0 0
52 7
2008-09-10 05:36:06.891 33813.287 TCP 194.210.64.214:0 ->
194.109.206.106:7000 .AP.S. 0 6 274 0 0
45 6
2008-09-09 17:36:46.947 4602.060 TCP 194.210.68.80:0 ->
194.109.206.106:7000 ....S. 0 6 312 0 0
52 6
2008-09-09 17:37:07.143 4325.178 TCP 194.210.68.80:0 ->
194.109.206.106:3921 ....S. 0 5 260 0 0
52 5
2008-09-09 23:42:50.385 35763.820 TCP 193.92.11.30:0 ->
194.109.206.106:7000 .AP.S. 0 5 267 0 0
53 5
2008-09-09 17:46:16.005 47.677 TCP 147.102.229.16:0 ->
194.109.206.106:7000 ....S. 0 5 240 0 40
48 5
2008-09-10 01:02:57.240 14484.905 TCP 193.231.43.103:0 ->
194.109.206.106:7000 .AP.S. 0 5 272 0 0
54 5
2008-09-10 15:32:22.431 5946.014 TCP 194.149.154.1:0 ->
194.109.206.106:3921 .AP.S. 0 4 213 0 0
53 4
2008-09-09 20:32:23.157 33543.124 TCP 81.180.18.114:0 ->
194.109.206.106:7000 .AP.S. 0 4 227 0 0
56 4
2008-09-09 17:46:22.522 46.120 TCP 147.102.229.16:0 ->
194.109.206.106:3921 ....S. 0 4 192 0 33
48 4
2008-09-10 08:06:34.776 1086.803 TCP 81.186.179.190:0 ->
217.30.178.1:8080 ....S. 0 3 144 0 1 48
3
2008-09-09 19:25:06.710 169.754 TCP 193.198.150.146:0 ->
217.30.178.1:24300 .AP.S. 0 2 182 0 8 91
2
2008-09-10 10:11:45.072 2194.608 TCP 194.63.216.54:0 ->
194.109.206.106:7000 ....S. 0 2 96 0 0
48 2
2008-09-09 20:29:37.690 0.000 TCP 193.198.137.36:0 ->
217.30.178.1:7000 ....S. 0 1 48 0 0 48
1
2008-09-10 13:13:14.289 0.000 TCP 194.249.229.83:0 ->
194.109.206.106:6667 .A.... 0 1 40 0 0
40 1
2008-09-10 17:31:04.370 0.000 TCP 153.5.22.143:0 ->
194.109.206.106:3921 .A.... 0 1 40 0 0
40 1
2008-09-10 13:10:34.577 0.000 TCP 193.198.152.17:0 ->
217.30.178.1:24300 ....S. 0 1 48 0 0 48
1
2008-09-09 17:46:46.248 0.000 TCP 147.102.229.16:0 ->
194.109.206.106:80 ....S. 0 1 48 0 0
48 1
2008-09-10 08:04:49.567 0.000 TCP 193.226.38.42:0 ->
194.109.206.106:7000 ....S. 0 1 48 0 0
48 1
>
> Thanks people!
>
> Scott A. McIntyre
> XS4ALL Internet B.V.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
______________________________________________________________________
Maurizio Molina
Network Engineer
DANTE - www.dante.net
Tel: +44 (0)1223 371 300
Fax: +44 (0)1223 371 371
Email: maurizio.molina at dante.org.uk
PGP Key ID: 3FF58D51
City House, 126-130 Hills Road
Cambridge CB2 1PQ
UK
_____________________________________________________________________
More information about the nsp-security
mailing list