[nsp-sec] Multiple DDoS attacks
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Mon Jul 6 15:43:01 EDT 2009
Fun weekend... Several customers of mine are getting some packet love
that began on 4 July and is ongoing. I'm still pulling traffic to
isolate attack vectors, but one that we've already confirmed is TCP/UDP
80.
The UDP-80 traffic appears to be a pseudo-random byte size. The TCP-80
traffic appears to be a SYN flood. I have a ton of source Ips, but it's
entirely likely that they're being spoofed. (I'll go ahead and build a
list anyways, in case they aren't. That will come later.)
My victim list looks like (so far, this is still being fleshed out too):
204.68.195.29
www.dot.gov
faa.gov
fmcsa.dot.gov
nhtsa.dot.gov
phmsa.dot.gov
ftc.gov
treas.gov
secretservice.gov
Please do not blackhole any of these, but if you see DDoS
traffic/sources that you can squish, I would appreciate it.
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
More information about the nsp-security
mailing list