[nsp-sec] Attack on www.betinternet.com TCP/80

Nick Hilliard nick at inex.ie
Sun Aug 30 08:41:01 EDT 2009 

Forwarded from GX Networks.

Nick

-------- Original Message --------
Subject: Attack on www.betinternet.com TCP/80
Date: Sun, 30 Aug 2009 13:32:06 +0100
From: Rob Shakir <rjs at eng.gxn.net>

Hi nsp-sec,

We're currently dealing with an attack on www.betinternet.com tcp/80 since
Friday. The service is located on 83.218.15.254.

The attack appears to be around 50-60mbps (i.e. not particularly high 
volume), but is still affecting our end customer's application. The traffic 
volume at approximately 12:00 GMT was as per below:

			pps		bps
Unfiltered Traffic:	6414		4692782
Filtered Traffic:	41395		47896825

As far as we can see, this appears to be mostly Windows-based zombies. We 
were originally able to mitigate this by filtering the following 
User-Agent: headers:

User-Agent.*www\.lolyousuck\.com
User-Agent.*i\.love\.teh\.cock
User-Agent.*www\.googlebawt\.com
User-Agent:.*Slurp/cat
User-Agent:.*www\.supercocklol\.com
User-Agent:.*DigExt

We also saw a large number of requests with the following Accept: header:

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd\.ms-excel, application/msword,

The zombies appear to be changing to */* as we have migitated this.

As per a previous attack in the year, we saw a number of 41 byte packets 
that included only the character "G", but as per the previous attack, this 
mutated as we filtered it.

We'd really appreciate it if anyone can identify the C&C and kill it, 
and/or clean up any drones that can be accessed. I've attached a full list 
- all timestamps are in UTC.

Many thanks in advance,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http//www.vialtus.com/disclaimer.html


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: betinternet-ddos-20090829.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090830/24267397/attachment-0001.txt>

More information about the nsp-security mailing list