[nsp-sec] Metasploit DDoS IP -> ASN mappings

jose nazario jose at arbor.net
Mon Feb 9 09:39:09 EST 2009 

Oops, forgot to attach the list of Ips and ASNs seen attacking.

Thanks again. 

On 2/9/09 9:37 AM, "jose nazario" <jose at arbor.net> wrote:

> Actively seeking C&C info on this weekend's metasplot/milw0rm/packetstorm
> attacks.
> 
> Here's a few hundred of the thousands of IPs attacking metasploit.com.
> Combined TCP SYN flood and HTTP GET floods. Things look like this:
> 
> 1234118825.933552 IP (tos 0x0, ttl 107, id 48323, offset 0, flags [DF], proto
> TCP (6), length 48) 79.132.127.6.2055 > 66.240.213.81.80: S, cksum 0x6f92
> (correct), 149691282:149691282(0) win 65535 <mss 1440,nop,nop,sackOK>
> 1234118825.933570 IP (tos 0x0, ttl 105, id 12221, offset 0, flags [DF], proto
> TCP (6), length 48) 80.48.33.21.1595 > 66.240.213.81.80: S, cksum 0x41a0
> (correct), 853442946:853442946(0) win 64800 <mss 1440,nop,nop,sackOK>
> 1234118825.933576 IP (tos 0x0, ttl 103, id 65138, offset 0, flags [DF], proto
> TCP (6), length 48) 88.249.217.249.2739 > 66.240.213.81.80: S, cksum 0x0e09
> (correct), 1213978251:1213978251(0) win 65535 <mss 1452,nop,nop,sackOK>
> 1234118825.934302 IP (tos 0x0, ttl 105, id 48015, offset 0, flags [DF], proto
> TCP (6), length 48) 85.105.116.193.3296 > 66.240.213.81.80: S, cksum 0xeba4
> (correct), 891253447:891253447(0) win 65535 <mss 1452,nop,nop,sackOK>
> 
> 
> No timestamps but everything is within a few seconds of each other. Timestamps
> in UTC.
> 
> Top 10 ASNs by bot count:
> 
>  333 9121      TTNET TTnet Autonomous System
>   50 5617      TPNET Polish Telecom_s commercial IP network
>   24 9050      RTD RTD-ROMTELECOM Autonomous System Number
>   19 8997      ASN-SPBNIT OJSC North-West Telecom Autonomous System
>   15 20771     CAUCASUS-CABLE-SYSTEM CCS Autonomous System
>   13 8708      RDSNET RCS & RDS S.A.
>   12 12978     DOGAN-ONLINE Dogan Iletisim Elektronik Servis Hizmetleri AS
>    8 6746      ASTRAL ASTRAL Telecom SA, Romania
>    7 9198      KAZTELECOM-AS Kazakhtelecom Corporate Sales Administration
>    7 25019     SAUDINETSTC-AS Autonomus System Number for SaudiNet
> 
> 
> 
> I have no C&C logs at this point, actively seeking.
> 
> Thank you. 
> 
> -- jose
> 
> -------------------------------------------------------------
> jose nazario, ph.d.  <jose at arbor.net>
> Arbor Networks      www.arbornetworks.com
> v: (734) 821 1427
> PGP: 0x40A7BF94
> -------------------------------------------------------------

More information about the nsp-security mailing list