[nsp-sec] DDoS to the Presidential web site of Uruguay

Smith, Donald Donald.Smith at qwest.com
Fri Feb 6 15:26:50 EST 2009 

They may be blocking at their borders but the drops are occurring much sooner then that.

chi1-qwest-2.chi.seabone.net is the last router to reply to the traceroute.
That is a border router in chicago owned by seabone.net.
Next hop should probably have been a seabone core or agg router but it never got there so from my pov it is being dropped by seabone.net.


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: Nicholas Ianelli [mailto:ni at cert.org] 
> Sent: Friday, February 06, 2009 1:01 PM
> To: Smith, Donald
> Cc: 'nsp-security NSP'
> Subject: Re: [nsp-sec] DDoS to the Presidential web site of Uruguay
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - From the reporter:
> 
> "Right now we are filtering all the traffic to the site form 
> the outside
> on the Uruguay Internet Border routers to re-up the system 
> internally."
> 
> Nick
> 
> 
> Smith, Donald wrote:
> > Nic, I used flows from today starting with 12:00 GMT.
> > If I did my math correctly and they spotted this at 12:08 
> GMT-2 I think I have to go back and use the 2200-2359 flows 
> from yesterday. Is that correct??
> > 
> > I also did a bi-directional netflow report for 200.40.175.8 
> from today and saw nothing towards or from that ip.
> > 
> > So I tried traceroute and connections to port 80 on that ip:)
> > 
> >> traceroute 200.40.175.8
> > traceroute to 200.40.175.8 (200.40.175.8), 64 hops max, 40 
> byte packets
> >  1  min-core-02.inet.qwest.net (205.171.128.194)  0.371 ms  
> 0.275 ms  0.352 ms
> >  2  cer-core-02.inet.qwest.net (67.14.8.14)  10.109 ms  
> 10.334 ms  11.461 ms
> >  3  chp-brdr-01.inet.qwest.net (205.171.139.150)  10.334 ms 
>  10.193 ms  10.225 m
> > s
> >  4  chi1-qwest-2.chi.seabone.net (195.22.222.157)  10.364 
> ms  11.201 ms  10.296
> > ms
> >  5  * * *
> >  6  * * *
> >  7  * *^C
> > 
> > 
> >> telnet 200.40.175.8 80
> > Trying 200.40.175.8...
> > telnet: connect to address 200.40.175.8: Operation timed out
> > telnet: Unable to connect to remote host
> > 
> > 
> > It looks down to me. Traceroute died and I couldn't connect 
> to port 80 with telnet as it timed out.
> > 
> > 
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith at qwest.com gcia
> > 
> >> -----Original Message-----
> >> From: Nicholas Ianelli [mailto:ni at cert.org]
> >> Sent: Friday, February 06, 2009 12:33 PM
> >> To: Smith, Donald
> >> Cc: 'nsp-security NSP'
> >> Subject: Re: [nsp-sec] DDoS to the Presidential web site of Uruguay
> >>
> > Don,
> > 
> > Does this help:
> > 
> > The timezone is GMT-2 (now is 16:48)
> > 
> > 2009-02-06 12:08:40 71.210.189.217 - 200.40.175.8 80 GET
> > /Default.htm -
> > 500
> > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+C
> > LR+2.0.50727)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> 
> iEYEARECAAYFAkmMlucACgkQi10dJIBjZIDhZgCcCKCHkISv0qFjgkkMdzmzkhlG
> EuEAn1vd4e/CK20bvSQyF22c1n6speAd
> =aGKF
> -----END PGP SIGNATURE-----
>

More information about the nsp-security mailing list