[nsp-sec] Multiple DDoS attacks

Smith, Donald Donald.Smith at qwest.com
Mon Jul 6 18:20:12 EDT 2009 

I am seeing icmp floods (mostly echo requests) in our netflow towards some of Matt's victim ips.

The UDP port 80 is consistent wrt src_interface so I will agree with Matt that this isn't spoofed (or is spoofed locally ). There are some resets that appear to be responses to the syn's so I believe the OSes involved are not listening they are just blindly sending out syns and when they get a response they send back a reset (implies packet crafting).

Several of my top hitters are listed in the url below so I can validate the ips.



(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Dave Mitchell
> Sent: Monday, July 06, 2009 4:01 PM
> To: Tim Wilde
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Multiple DDoS attacks
> 
> ----------- nsp-security Confidential --------
> 
> Out of curiosity, mixed with these syn floods are you seeing valid HTTP
GETS / and some ICMP floods?

-dave

On Mon, Jul 06, 2009 at 05:56:19PM -0400, Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> > Fun weekend... Several customers of mine are getting some packet love
> > that began on 4 July and is ongoing.  I'm still pulling traffic to
> > isolate attack vectors, but one that we've already confirmed is TCP/UDP
> > 80.
> > 
> > The UDP-80 traffic appears to be a pseudo-random byte size.  The TCP-80
> > traffic appears to be a SYN flood.  I have a ton of source Ips, but it's
> > entirely likely that they're being spoofed.  (I'll go ahead and build a
> > list anyways, in case they aren't.  That will come later.)
> 
> Folks,
> 
> Posting a source IP list for the UDP/80 side of this DDoS attack on
> behalf of Matt.  You can find the full list (1.6MB ASN sorted) here:
> 
> 	https://www.cymru.com/nsp-sec/Owned/swaar-udpdos-2009-07-06.txt
> 
> Timestamps are the last time that IP was seen hitting one of the victim
> hosts on UDP/80, in GMT.  Each of these IPs generated at least 10k
> packets to any of 3 victim IPs, and should be relatively free of FPs.
> 
> I've included a list of all ASNs represented within the file below my
> signature.
> 
> Please follow-up on-list or directly to Matt so he can answer questions
> about the source data for the list as appropriate.
> 
> Regards,
> Tim Wilde
> 
> - -- 
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
>

More information about the nsp-security mailing list