[nsp-sec] was US and KR gov attack was launched against a penny stock site.
Smith, Donald
Donald.Smith at qwest.com
Fri Aug 7 17:54:35 EDT 2009
This attack was reported to the handlers list Wednesday 8/5 at 3:41 MST. I have worked with the person that reported this many times in the past. The traffic was very similar to the US and Korean government attacks that happened in early July. GET / and udp 80 were both being used most of the traffic was coming from Asia. Most IP addresses in the list are owned by ISP's in the Asia Pacific region.
These customers are probably infected with DOZER although I can't be sure of that.
Only IPs that connected 100+ times/minute were put in this list. Full three way handshake was used so these are not spoofed.
Some were seen sending 1k-3k times per minute.
https://asn.cymru.com/nsp-sec/upload/1249680036.whois.txt
If anyone can validate elements of the list please do so.
Thanks.
Sharing: Author's permission required except within your organization, anonymize.
Donald.Smith at qwest.com gcia
More information about the nsp-security
mailing list