[nsp-sec] Multiple DDoS attacks

Mon Jul 6 18:25:52 EDT 2009

The valid HTTP GETS also had the following requests:

url=/statusf.html                                                                                              
url=/red1.jpg                                                                                                  
url=/status                                                                                                   
url=/htbin/lfeedback.php                                                                                      
url=/setting.doc                                                                                              
url=/setting.xls                                                                                              
url=/

We found a large concentration of this to be sourced out of .KR. 

We're gathering the full list on our end as well. 

-dave          

On Mon, Jul 06, 2009 at 04:20:12PM -0600, Smith, Donald wrote:
> I am seeing icmp floods (mostly echo requests) in our netflow towards some of Matt's victim ips.
> 
> The UDP port 80 is consistent wrt src_interface so I will agree with Matt that this isn't spoofed (or is spoofed locally ). There are some resets that appear to be responses to the syn's so I believe the OSes involved are not listening they are just blindly sending out syns and when they get a response they send back a reset (implies packet crafting).
> 
> Several of my top hitters are listed in the url below so I can validate the ips.
> 
> 
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia   
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > Dave Mitchell
> > Sent: Monday, July 06, 2009 4:01 PM
> > To: Tim Wilde
> > Cc: nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] Multiple DDoS attacks
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Out of curiosity, mixed with these syn floods are you seeing valid HTTP
> GETS / and some ICMP floods?
> 
> -dave
> 
> On Mon, Jul 06, 2009 at 05:56:19PM -0400, Tim Wilde wrote:
> > ----------- nsp-security Confidential --------
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> > > Fun weekend... Several customers of mine are getting some packet love
> > > that began on 4 July and is ongoing.  I'm still pulling traffic to
> > > isolate attack vectors, but one that we've already confirmed is TCP/UDP
> > > 80.
> > > 
> > > The UDP-80 traffic appears to be a pseudo-random byte size.  The TCP-80
> > > traffic appears to be a SYN flood.  I have a ton of source Ips, but it's
> > > entirely likely that they're being spoofed.  (I'll go ahead and build a
> > > list anyways, in case they aren't.  That will come later.)
> > 
> > Folks,
> > 
> > Posting a source IP list for the UDP/80 side of this DDoS attack on
> > behalf of Matt.  You can find the full list (1.6MB ASN sorted) here:
> > 
> > 	https://www.cymru.com/nsp-sec/Owned/swaar-udpdos-2009-07-06.txt
> > 
> > Timestamps are the last time that IP was seen hitting one of the victim
> > hosts on UDP/80, in GMT.  Each of these IPs generated at least 10k
> > packets to any of 3 victim IPs, and should be relatively free of FPs.
> > 
> > I've included a list of all ASNs represented within the file below my
> > signature.
> > 
> > Please follow-up on-list or directly to Matt so he can answer questions
> > about the source data for the list as appropriate.
> > 
> > Regards,
> > Tim Wilde
> > 
> > - -- 
> > Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> > twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090706/c1abfbee/attachment-0001.sig>