[nsp-sec] DDoS against 204.69.234.1/204.74.101.1

Rodney Joffe rjoffe at centergate.com
Tue Apr 14 23:10:22 EDT 2009 

On Apr 14, 2009, at 7:58 PM, Keith Schoenefeld wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I don't have the ability to look at DNS logs at the moment (we don't
> capture them), but flow logs inidicate 142 flows in the last five
> minutes to 204.69.234.1 and  (all appear to be from legitimate DNS
> servers on campus), and 1446 flows in the last five minutes to
> 204.74.101.1 (again, all appear to be from legitimate DNS servers on
> campus).

Thanks Keith. That small a flow is likely valid queries ... but it  
would be good to have you confirm this.

Also, at about 02:55 UTC the attack seems to have mainly stopped.

Forensics to identify the c&c would still be useful.

This "feels" like extortion - so we will likely see the next phase  
shortly.

>
>
> - -- KS
>
> Rodney Joffe wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi Guys,
>>
>> We're having some issues at the moment, like this...
>>
>> 01:58:31.528866 IP 96.229.37.175.50264 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529003 IP 203.179.88.62.61411 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529174 IP 118.68.157.93.20580 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529182 IP 115.103.3.197.15970 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529239 IP 76.202.116.91.1535 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529889 IP 68.181.227.97.3180 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.529922 IP 222.254.123.1.35037 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>> 01:58:31.530031 IP 68.181.227.97.3182 > 204.69.234.1.domain:   
>> 54817+ A?
>> www.yishengbo.com. (35)
>>
>> We're filtering, but it would be very helpful if you could look for  
>> the
>> botnet and C&C, and nail it.
>>
>> Thanks
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
>> security
>> community. Confidentiality is essential for effective Internet  
>> security
>> counter-measures.
>> _______________________________________________
>
>
> - --
> Keith Schoenefeld
> Network Security Officer
> Office of Privacy and Information Assurance
> University of Illinois
> (217) 333-4332
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAknlTTkACgkQdQwgufanQJqRYQCeNcK3Tq4Yh9UMjkUJhhrZdqcU
> bG0AoIzWjtoldCSvGWBjNspFEwvFhZjP
> =iznh
> -----END PGP SIGNATURE-----
>

More information about the nsp-security mailing list