[nsp-sec] Multiple DDoS attacks

Mon Jul 6 18:01:04 EDT 2009

Out of curiosity, mixed with these syn floods are you seeing valid HTTP
GETS / and some ICMP floods?

-dave

On Mon, Jul 06, 2009 at 05:56:19PM -0400, Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> > Fun weekend... Several customers of mine are getting some packet love
> > that began on 4 July and is ongoing.  I'm still pulling traffic to
> > isolate attack vectors, but one that we've already confirmed is TCP/UDP
> > 80.
> > 
> > The UDP-80 traffic appears to be a pseudo-random byte size.  The TCP-80
> > traffic appears to be a SYN flood.  I have a ton of source Ips, but it's
> > entirely likely that they're being spoofed.  (I'll go ahead and build a
> > list anyways, in case they aren't.  That will come later.)
> 
> Folks,
> 
> Posting a source IP list for the UDP/80 side of this DDoS attack on
> behalf of Matt.  You can find the full list (1.6MB ASN sorted) here:
> 
> 	https://www.cymru.com/nsp-sec/Owned/swaar-udpdos-2009-07-06.txt
> 
> Timestamps are the last time that IP was seen hitting one of the victim
> hosts on UDP/80, in GMT.  Each of these IPs generated at least 10k
> packets to any of 3 victim IPs, and should be relatively free of FPs.
> 
> I've included a list of all ASNs represented within the file below my
> signature.
> 
> Please follow-up on-list or directly to Matt so he can answer questions
> about the source data for the list as appropriate.
> 
> Regards,
> Tim Wilde
> 
> - -- 
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
> 
> 3
> 71
> 80
> 160
> 174
> 209
> 210
> 226
> 237
> 286
> 306
> 329
> 391
> 409
> 553
> 577
> 589
> 600
> 668
> 701
> 702
> 714
> 766
> 786
> 812
> 852
> 1103
> 1221
> 1237
> 1249
> 1257
> 1267
> 1307
> 1680
> 1723
> 1836
> 2015
> 2385
> 2497
> 2514
> 2516
> 2518
> 2647
> 2686
> 2764
> 2856
> 2875
> 2900
> 2907
> 2914
> 2915
> 3209
> 3215
> 3243
> 3265
> 3269
> 3300
> 3301
> 3319
> 3320
> 3352
> 3356
> 3357
> 3370
> 3462
> 3582
> 3737
> 3758
> 3784
> 3786
> 4010
> 4134
> 4249
> 4355
> 4538
> 4589
> 4609
> 4628
> 4663
> 4668
> 4670
> 4671
> 4704
> 4713
> 4716
> 4725
> 4739
> 4750
> 4760
> 4766
> 4768
> 4771
> 4775
> 4788
> 4790
> 4802
> 4804
> 4808
> 4809
> 4812
> 4837
> 4847
> 5051
> 5078
> 5089
> 5384
> 5462
> 5503
> 5669
> 5713
> 5769
> 5778
> 6079
> 6126
> 6128
> 6167
> 6327
> 6332
> 6341
> 6389
> 6407
> 6478
> 6619
> 6678
> 6805
> 6830
> 6848
> 6855
> 6882
> 7011
> 7015
> 7018
> 7029
> 7046
> 7132
> 7152
> 7377
> 7418
> 7456
> 7465
> 7491
> 7545
> 7552
> 7557
> 7559
> 7562
> 7579
> 7602
> 7621
> 7623
> 7626
> 7627
> 7641
> 7643
> 7657
> 7693
> 7725
> 7757
> 7883
> 7922
> 7992
> 8001
> 8151
> 8359
> 8374
> 8672
> 9143
> 9274
> 9299
> 9316
> 9317
> 9318
> 9319
> 9394
> 9416
> 9443
> 9452
> 9457
> 9492
> 9506
> 9523
> 9524
> 9525
> 9526
> 9527
> 9531
> 9569
> 9595
> 9617
> 9628
> 9636
> 9644
> 9646
> 9667
> 9680
> 9683
> 9684
> 9686
> 9689
> 9694
> 9695
> 9697
> 9698
> 9701
> 9706
> 9712
> 9737
> 9756
> 9757
> 9762
> 9768
> 9770
> 9772
> 9778
> 9780
> 9781
> 9782
> 9806
> 9812
> 9842
> 9844
> 9845
> 9848
> 9853
> 9862
> 9868
> 9924
> 9943
> 9946
> 9957
> 9961
> 9970
> 9971
> 9976
> 9978
> 9981
> 9991
> 10036
> 10037
> 10045
> 10049
> 10052
> 10054
> 10062
> 10063
> 10066
> 10067
> 10068
> 10091
> 10113
> 10139
> 10155
> 10160
> 10164
> 10165
> 10175
> 10176
> 10179
> 10183
> 10186
> 10191
> 10197
> 10219
> 10311
> 10318
> 10455
> 10481
> 10507
> 10796
> 10838
> 10994
> 11188
> 11260
> 11355
> 11398
> 11426
> 11427
> 11808
> 11830
> 11955
> 12021
> 12083
> 12131
> 12271
> 12322
> 12510
> 12741
> 13127
> 13343
> 13432
> 13592
> 13999
> 14103
> 14291
> 14992
> 15290
> 15557
> 16153
> 16265
> 16586
> 16835
> 16848
> 17444
> 17488
> 17506
> 17511
> 17552
> 17557
> 17573
> 17577
> 17581
> 17583
> 17584
> 17586
> 17593
> 17596
> 17597
> 17598
> 17608
> 17622
> 17633
> 17676
> 17799
> 17816
> 17839
> 17844
> 17849
> 17850
> 17854
> 17857
> 17858
> 17861
> 17862
> 17864
> 17868
> 17870
> 17871
> 17877
> 17962
> 17971
> 17974
> 18023
> 18026
> 18028
> 18033
> 18101
> 18104
> 18158
> 18168
> 18187
> 18278
> 18295
> 18298
> 18302
> 18305
> 18306
> 18310
> 18311
> 18313
> 18318
> 18334
> 18373
> 18391
> 18401
> 18515
> 18881
> 18990
> 19029
> 19108
> 19262
> 19397
> 19902
> 20001
> 20057
> 20105
> 20115
> 20674
> 20676
> 20804
> 20825
> 21230
> 21250
> 21864
> 22017
> 22085
> 22303
> 22773
> 22927
> 23201
> 23504
> 23559
> 23563
> 23577
> 23578
> 23579
> 23584
> 23613
> 23851
> 23908
> 23930
> 23990
> 24158
> 24326
> 24487
> 24560
> 24730
> 24863
> 26557
> 26860
> 27064
> 27553
> 27699
> 27833
> 29063
> 31250
> 31399
> 32107
> 32148
> 32855
> 33287
> 33490
> 33491
> 33650
> 33651
> 33654
> 33657
> 33660
> 33666
> 33668
> 33763
> 34034
> 35104
> 35404
> 36149
> 36300
> 36441
> 37925
> 38089
> 38091
> 38093
> 38095
> 38096
> 38097
> 38098
> 38100
> 38103
> 38104
> 38105
> 38108
> 38109
> 38110
> 38111
> 38112
> 38113
> 38115
> 38116
> 38120
> 38121
> 38131
> 38132
> 38133
> 38134
> 38387
> 38388
> 38390
> 38391
> 38392
> 38393
> 38394
> 38396
> 38398
> 38399
> 38400
> 38401
> 38402
> 38404
> 38406
> 38407
> 38409
> 38413
> 38414
> 38415
> 38426
> 38430
> 38435
> 38518
> 38641
> 38660
> 38661
> 38666
> 38669
> 38673
> 38679
> 38680
> 38684
> 38744
> 38805
> 39101
> 41259
> 42298
> 44034
> 45361
> 45365
> 45374
> 45377
> 45383
> 45385
> 45388
> 46262
> 47395
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFKUnMDluRbRini9tgRAp2wAJ9Yo2zn88Xec/6lBcaae0xsCkCg/QCfQvgT
> Ov5T/c5zipT/Jqv+Q13iwI4=
> =hS6O
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090706/2e470b22/attachment-0001.sig>