[nsp-sec] 8 Gbps DDoS against AS 3307 IRC server yesterday

sthaug at nethelp.no sthaug at nethelp.no
Tue Aug 4 04:52:41 EDT 2009 

Yesterday at 16:25 - 16:35 UTC (18:25 - 18:35 Norwegian time) we
received an 8 Gbps DDoS against 217.168.95.245, which is an IRC
server inside AS 3307 (Banetele).

All the traffic arrived on our Global Crossing 10 Gig transit link.
Fortunately for us, BGP stayed up, and ordinary customer traffic was
not affected.

Most of the traffic was UDP with random destination ports, and I
would not be surprised if it is spoofed within the respective address
blocks. We also saw IP protocol scanning from 91.199.167.17 (starting
at IP proto 1 and going upwards).

The largest sources were:

Proxad          4.44 Gbps       AS12322 88.191.0.0/16
Schlund/1&1     1.96 Gbps       AS8560  87.106.0.0/16
Server4you      0.73 Gbps       AS30083 69.64.32.0/19
Reasonnet       0.78 Gbps       AS25525 79.99.129.71 + 91.199.167.17

The largest single IP source was 88.191.102.55 at 0.91 Gbps. It would
be rather surprising if Proxad didn't notice this one.

Below is a list of the sources. Please note the possibility of address
spoofing as mentioned above.

We don't need any action taken against the 217.168.95.245 IRC server
address at this time. However, if anybody would like to use this to
go bot hunting it would be nice.

Steinar Haug, AS 2116 / AS 3307
----------------------------------------------------------------------
Bulk mode; whois.cymru.com [2009-08-04 08:29:38 +0000]
8560    | 87.106.108.149   | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.129.83    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.162.125   | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.163.199   | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.178.76    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.211.64    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.220.155   | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.225.168   | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.247.74    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.3.196     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.43.68     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.48.220    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.51.70     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.53.96     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.76.221    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.87.83     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.88.220    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.89.52     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.90.56     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.91.207    | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.91.92     | ONEANDONE-AS 1&1 Internet AG
8560    | 87.106.99.35     | ONEANDONE-AS 1&1 Internet AG
12322   | 88.191.102.55    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.29.138    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.32.35     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.35.110    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.35.80     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.53.46     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.53.9      | PROXAD AS for Proxad/Free ISP
12322   | 88.191.57.34     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.58.200    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.58.50     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.59.155    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.61.203    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.61.35     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.62.11     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.62.131    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.62.167    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.62.189    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.62.8      | PROXAD AS for Proxad/Free ISP
12322   | 88.191.63.235    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.63.40     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.64.175    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.64.84     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.66.147    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.66.34     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.66.38     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.67.49     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.67.9      | PROXAD AS for Proxad/Free ISP
12322   | 88.191.73.190    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.76.175    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.77.147    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.78.153    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.78.232    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.79.190    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.80.168    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.80.22     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.80.231    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.83.5      | PROXAD AS for Proxad/Free ISP
12322   | 88.191.84.13     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.99.167    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.99.18     | PROXAD AS for Proxad/Free ISP
12322   | 88.191.99.232    | PROXAD AS for Proxad/Free ISP
12322   | 88.191.99.59     | PROXAD AS for Proxad/Free ISP
24940   | 78.46.50.201     | HETZNER-AS Hetzner Online AG RZ-Nuernberg
25525   | 79.99.129.71     | REASONNET-AS Reasonnet IP Networks B.V. number
25525   | 91.199.167.17    | REASONNET-AS Reasonnet IP Networks B.V. number
30083   | 69.64.38.117     | SERVER4YOU - Hosting Solutions International, Inc.
30083   | 69.64.43.103     | SERVER4YOU - Hosting Solutions International, Inc.
30083   | 69.64.49.140     | SERVER4YOU - Hosting Solutions International, Inc.
30083   | 69.64.58.164     | SERVER4YOU - Hosting Solutions International, Inc.
47205   | 79.98.24.227     | HOSTEX HOSTEX autonomous system
47205   | 79.98.25.164     | HOSTEX HOSTEX autonomous system
48185   | 62.193.224.106   | AMEN AMEN DEDICATED

More information about the nsp-security mailing list