[nsp-sec] DDoS nodes within AS20773
Felix Schueren
felix.schueren at hosteurope.de
Tue Jan 13 04:06:30 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear colleagues,
we have 14 0wned nodes within 20773 that were synchronously flooding
several targets with ~300k pps UDP to port 53 through the night - I've
had them shut down for now, some might come up as they're being
investigated. Times in CET (GMT+1), data from 1/1000 sampling, so
multiply packets/pps/bytes/bps with 1000. As all flooding nodes started
the floods at identical timestamps, these probably belong to the same
botnet, hopefully the data helps finding the C&C.
Kind regards,
Felix
- --
Felix Schüren
Head of NOC
- ------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - D-51149 Köln - Germany
Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33
HRB 28495 Amtsgericht Köln - UST ID DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJbFmWjvSFhYIGdqcRAu86AJ9F0v30tShCQQ24xch6EYrqyot1nwCggGku
Pdju5m6uDJ3j1+GUsjOGrjY=
=cHWS
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: outbound-floods-as20773-2009-01-13.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090113/be48fe10/attachment-0001.txt>
More information about the nsp-security
mailing list