[nsp-sec] DDoS nodes within AS20773

Felix Schueren felix.schueren at hosteurope.de
Tue Jan 13 04:46:54 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> we have 14 0wned nodes within 20773 that were synchronously flooding
> several targets with ~300k pps UDP to port 53 through the night - I've
> had them shut down for now, some might come up as they're being
> investigated. Times in CET (GMT+1), data from 1/1000 sampling, so
> multiply packets/pps/bytes/bps with 1000. As all flooding nodes started
> the floods at identical timestamps, these probably belong to the same
> botnet, hopefully the data helps finding the C&C.

digging into some more flows, it appears as though all of these hosts
were connected to the same Quakenet IRC server for the last couple days
at least:

     Src IP Addr:Port       Dst IP Addr Date flow start
  194.124.229.59:6667     87.230.33.123 2009-01-11 22:51:58.197
  194.124.229.59:6667     87.230.24.197 2009-01-12 04:28:52.578
  194.124.229.59:6667     87.230.35.135 2009-01-12 00:21:49.268
  194.124.229.59:6667     87.230.94.215 2009-01-12 03:24:44.714
  194.124.229.59:6667     87.230.85.223 2009-01-12 00:29:06.744
  194.124.229.59:6667     87.230.22.124 2009-01-12 05:17:32.008
  194.124.229.59:6667      87.230.35.87 2009-01-13 04:56:41.496
  194.124.229.59:6667      87.230.95.34 2009-01-12 02:36:54.103
  194.124.229.59:6667       87.230.9.60 2009-01-12 03:56:44.747
  194.124.229.59:6667      87.230.9.147 2009-01-12 14:48:11.099
  194.124.229.59:6667     87.230.16.155 2009-01-13 07:11:39.262
  194.124.229.59:6667     87.230.27.244 2009-01-12 07:30:38.735
  194.124.229.59:6667     87.230.35.121 2009-01-12 12:40:39.018
  194.124.229.59:6667     87.230.14.170 2009-01-11 20:57:19.946

PTR for 194.124.229.59: clanserver4u.de.quakenet.org.


- -felix

- --
Felix Schüren
Head of NOC

- ------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - D-51149 Köln - Germany
Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33
HRB 28495 Amtsgericht Köln - UST ID DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbGMOjvSFhYIGdqcRArqWAJ9/10+PgwkMyeI2I+wmgrxO3xmKqwCdGJvz
HBlU5UKBl9Ywv2HqncQZwkE=
=9B76
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list