[nsp-sec] Possible AT&T DoS
Jose Nazario
jose at arbor.net
Tue Feb 3 16:28:37 EST 2009
>> We are seeing quite a bit of TCP ACK traffic all of a sudden to
>> 63.240.117.170.
recently been beat on by the team usa botnet, who IIRC love ACK floods.
C&C C&C Port Command Timestamp
(63.173.172.98) 6668 xusa ack 2009-01-04 11:17:07
(63.173.172.98) 6668 xusa ack 2009-01-05 15:43:38
(63.173.172.98) 6668 xusa ack 2009-01-09 04:37:22
(63.173.172.98) 6668 xusa ack 2009-01-11 07:54:13
(63.173.172.98) 6668 xusa ack 2009-01-11 08:15:12
(63.173.172.98) 6668 xusa ack 2009-01-15 04:06:38
unknown.carohosting.net (76.76.19.32) 3921 xusa ack 2009-01-28
21:14:21
(63.173.172.98) 6668 xusa ack 2009-01-28 21:19:23
unknown.carohosting.net (76.76.19.32) 3921 xusa ack 2009-01-28
22:07:18
(63.173.172.98) 6668 xusa ack 2009-01-28 22:07:19
i have nothing in the past few days tho. all data from shadowserver logs.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list