[nsp-sec] Multiple DDoS attacks
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Mon Jul 6 16:23:54 EDT 2009
Corrected target list:
204.68.195.29
www.dot.gov
www.faa.gov
www.fmcsa.dot.gov
www.nhtsa.dot.gov
www.phmsa.dot.gov
www.ftc.gov
www.treas.gov
www.secretservice.gov
Additionally: At least one agency has mitigated most of the attack
reaching their network by blocking ~36 /8's from the asian/pac rim.
When I finally get an Iplist generated, it would appear that they Ips
aren't spoofed. (Unless they're locally-spoofed.)
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: Swaar, Matthew
Sent: Monday, July 06, 2009 3:43 PM
To: nsp-security at puck.nether.net
Cc: Swaar, Matthew
Subject: Multiple DDoS attacks
Fun weekend... Several customers of mine are getting some packet love
that began on 4 July and is ongoing. I'm still pulling traffic to
isolate attack vectors, but one that we've already confirmed is TCP/UDP
80.
The UDP-80 traffic appears to be a pseudo-random byte size. The TCP-80
traffic appears to be a SYN flood. I have a ton of source Ips, but it's
entirely likely that they're being spoofed. (I'll go ahead and build a
list anyways, in case they aren't. That will come later.)
My victim list looks like (so far, this is still being fleshed out too):
204.68.195.29
www.dot.gov
faa.gov
fmcsa.dot.gov
nhtsa.dot.gov
phmsa.dot.gov
ftc.gov
treas.gov
secretservice.gov
Please do not blackhole any of these, but if you see DDoS
traffic/sources that you can squish, I would appreciate it.
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
More information about the nsp-security
mailing list