[nsp-sec] Multiple DDoS attacks
Tim Wilde
twilde at cymru.com
Mon Jul 6 17:56:19 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> Fun weekend... Several customers of mine are getting some packet love
> that began on 4 July and is ongoing. I'm still pulling traffic to
> isolate attack vectors, but one that we've already confirmed is TCP/UDP
> 80.
>
> The UDP-80 traffic appears to be a pseudo-random byte size. The TCP-80
> traffic appears to be a SYN flood. I have a ton of source Ips, but it's
> entirely likely that they're being spoofed. (I'll go ahead and build a
> list anyways, in case they aren't. That will come later.)
Folks,
Posting a source IP list for the UDP/80 side of this DDoS attack on
behalf of Matt. You can find the full list (1.6MB ASN sorted) here:
https://www.cymru.com/nsp-sec/Owned/swaar-udpdos-2009-07-06.txt
Timestamps are the last time that IP was seen hitting one of the victim
hosts on UDP/80, in GMT. Each of these IPs generated at least 10k
packets to any of 3 victim IPs, and should be relatively free of FPs.
I've included a list of all ASNs represented within the file below my
signature.
Please follow-up on-list or directly to Matt so he can answer questions
about the source data for the list as appropriate.
Regards,
Tim Wilde
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
3
71
80
160
174
209
210
226
237
286
306
329
391
409
553
577
589
600
668
701
702
714
766
786
812
852
1103
1221
1237
1249
1257
1267
1307
1680
1723
1836
2015
2385
2497
2514
2516
2518
2647
2686
2764
2856
2875
2900
2907
2914
2915
3209
3215
3243
3265
3269
3300
3301
3319
3320
3352
3356
3357
3370
3462
3582
3737
3758
3784
3786
4010
4134
4249
4355
4538
4589
4609
4628
4663
4668
4670
4671
4704
4713
4716
4725
4739
4750
4760
4766
4768
4771
4775
4788
4790
4802
4804
4808
4809
4812
4837
4847
5051
5078
5089
5384
5462
5503
5669
5713
5769
5778
6079
6126
6128
6167
6327
6332
6341
6389
6407
6478
6619
6678
6805
6830
6848
6855
6882
7011
7015
7018
7029
7046
7132
7152
7377
7418
7456
7465
7491
7545
7552
7557
7559
7562
7579
7602
7621
7623
7626
7627
7641
7643
7657
7693
7725
7757
7883
7922
7992
8001
8151
8359
8374
8672
9143
9274
9299
9316
9317
9318
9319
9394
9416
9443
9452
9457
9492
9506
9523
9524
9525
9526
9527
9531
9569
9595
9617
9628
9636
9644
9646
9667
9680
9683
9684
9686
9689
9694
9695
9697
9698
9701
9706
9712
9737
9756
9757
9762
9768
9770
9772
9778
9780
9781
9782
9806
9812
9842
9844
9845
9848
9853
9862
9868
9924
9943
9946
9957
9961
9970
9971
9976
9978
9981
9991
10036
10037
10045
10049
10052
10054
10062
10063
10066
10067
10068
10091
10113
10139
10155
10160
10164
10165
10175
10176
10179
10183
10186
10191
10197
10219
10311
10318
10455
10481
10507
10796
10838
10994
11188
11260
11355
11398
11426
11427
11808
11830
11955
12021
12083
12131
12271
12322
12510
12741
13127
13343
13432
13592
13999
14103
14291
14992
15290
15557
16153
16265
16586
16835
16848
17444
17488
17506
17511
17552
17557
17573
17577
17581
17583
17584
17586
17593
17596
17597
17598
17608
17622
17633
17676
17799
17816
17839
17844
17849
17850
17854
17857
17858
17861
17862
17864
17868
17870
17871
17877
17962
17971
17974
18023
18026
18028
18033
18101
18104
18158
18168
18187
18278
18295
18298
18302
18305
18306
18310
18311
18313
18318
18334
18373
18391
18401
18515
18881
18990
19029
19108
19262
19397
19902
20001
20057
20105
20115
20674
20676
20804
20825
21230
21250
21864
22017
22085
22303
22773
22927
23201
23504
23559
23563
23577
23578
23579
23584
23613
23851
23908
23930
23990
24158
24326
24487
24560
24730
24863
26557
26860
27064
27553
27699
27833
29063
31250
31399
32107
32148
32855
33287
33490
33491
33650
33651
33654
33657
33660
33666
33668
33763
34034
35104
35404
36149
36300
36441
37925
38089
38091
38093
38095
38096
38097
38098
38100
38103
38104
38105
38108
38109
38110
38111
38112
38113
38115
38116
38120
38121
38131
38132
38133
38134
38387
38388
38390
38391
38392
38393
38394
38396
38398
38399
38400
38401
38402
38404
38406
38407
38409
38413
38414
38415
38426
38430
38435
38518
38641
38660
38661
38666
38669
38673
38679
38680
38684
38744
38805
39101
41259
42298
44034
45361
45365
45374
45377
45383
45385
45388
46262
47395
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFKUnMDluRbRini9tgRAp2wAJ9Yo2zn88Xec/6lBcaae0xsCkCg/QCfQvgT
Ov5T/c5zipT/Jqv+Q13iwI4=
=hS6O
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list