[nsp-sec] Possible AT&T DoS

Tino Steward tsteward at us.ntt.net
Thu Feb 5 09:09:41 EST 2009 

Joey,
Sorry, I was unable to get much of anything in the way of logs on this.
tino

On Wed, Feb 04, 2009 at 07:46:25PM +0000, Tino Steward wrote:
> I'll see what I can find. I didn't save any of the logs from yesterday, but I'll see if we have anything.
> tino
> 
> On Tue, Feb 03, 2009 at 04:33:00PM -0500, CASEY, JOEL J, ATTSI wrote:
> > Rob, Tino
> > 
> > Can one of you send an email with logs, IP&time-date stamp data?
> > Thanks
> > 
> > Joel Casey
> > Security Manager
> > AT&T CSO Internet Services Security Center
> > joeljcasey at att.com
> > Desk:919-319-8115
> > Mobile:919-949-5058
> > 
> > 
> > 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
> > Sent: Tuesday, February 03, 2009 4:24 PM
> > To: Tino Steward
> > Cc: NSP-Security
> > Subject: Re: [nsp-sec] Possible AT&T DoS
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Hey, Tino.
> > 
> > > We are seeing quite a bit of TCP ACK traffic all of a sudden to
> > 63.240.117.170.
> > 
> > We see 63.240.117.170 attempting to connect to a known C&C on
> > 196.205.243.52.  The C&C port we see is on TCP 1993, however.  The most
> > recent connection attempt is 2009-01-15 19:14:48 UTC.
> > 
> > Dunno if that's related, but I thought I'd mention it.
> > 
> > Thanks,
> > Rob.
> > --
> > Rob Thomas
> > Team Cymru
> > http://www.team-cymru.org/
> > cmn_err(CEO_PANIC, "Out of coffee!");
> > 
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
> 
> -- 
> 
> Tino T. Steward SNA1 - Security & Abuse	                                     tsteward at us.ntt.net
> NTT Communications Global IP Network Operations Center                       
> 214-853-7344 (Ph.)                                                           214.800.7771 (Fax) 
> 
> AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html 
> AUP online: http://www.ntt.net/library/pdf/AUP.pdf 
> 
> Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.
> 
> Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html
> 
> Latest viruses: http://www.cert.org
> 
> Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html 
> 

-- 

Tino T. Steward SNA1 - Security & Abuse	                                     tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center                       
214-853-7344 (Ph.)                                                           214.800.7771 (Fax) 

AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html 
AUP online: http://www.ntt.net/library/pdf/AUP.pdf 

Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.

Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html

Latest viruses: http://www.cert.org

Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

More information about the nsp-security mailing list