[nsp-sec] Multiple DDoS attacks

Tue Jul 7 07:43:24 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> The UDP-80 traffic appears to be a pseudo-random byte size.  The TCP-80
> traffic appears to be a SYN flood.  I have a ton of source Ips, but it's
> entirely likely that they're being spoofed.  (I'll go ahead and build a
> list anyways, in case they aren't.  That will come later.)

Good morning teams,

We have processed an attacker list on the TCP/80 SYN flood vector from
Matt.  This list of IPs each generated at least 10k packets on
2009-07-06 to some or all of the following victims:

www.dot.gov - 204.68.195.29
www.treas.gov - 63.236.117.81
www.ftc.gov - 164.62.4.30
evisaforms.state.gov -  169.253.2.16

Packets were TCP/80 with SYN set, PSH not set.  False positives are
possible, but believed not to be common/likely.  The list of ASNs with
data in the file is included below my signature again, and the full list
is available here:

	https://www.cymru.com/nsp-sec/Owned/swaar-tcpdos-2009-07-06.txt

As before, please make sure to follow up to the list or directly to Matt
as he'll be able to answer any questions better than I can.

Best regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/

3
32
71
80
81
127
137
174
209
226
271
577
594
668
714
719
786
803
812
852
855
1103
1221
1237
1239
1251
1659
1781
1916
2025
2385
2510
2516
2518
2519
2527
2686
2828
2900
2914
3216
3243
3257
3265
3269
3320
3352
3356
3357
3602
3748
3758
3784
3786
3790
3813
4134
4152
4181
4352
4538
4589
4663
4665
4668
4670
4671
4713
4725
4739
4760
4766
4768
4771
4775
4788
4790
4802
4804
4808
4809
4812
4837
4847
5051
5078
5610
5617
5645
5650
6079
6128
6147
6181
6327
6332
6389
6458
6478
6510
6568
6619
6648
6785
6805
6830
6849
6855
6983
7011
7015
7016
7018
7132
7377
7456
7459
7491
7545
7552
7557
7558
7559
7562
7602
7623
7624
7626
7633
7643
7670
7725
7757
7829
7922
7992
8151
8153
8167
8608
8612
8808
9274
9299
9313
9316
9317
9318
9319
9321
9322
9323
9452
9457
9488
9492
9523
9524
9525
9526
9527
9530
9531
9569
9575
9576
9628
9636
9639
9644
9646
9647
9683
9684
9686
9689
9694
9695
9697
9698
9701
9706
9707
9708
9712
9753
9754
9756
9757
9760
9762
9764
9765
9767
9768
9769
9770
9772
9774
9775
9778
9780
9781
9782
9790
9808
9812
9824
9829
9839
9844
9845
9848
9849
9852
9853
9855
9862
9868
9871
9924
9943
9946
9954
9957
9961
9962
9963
9970
9971
9976
9978
9981
10036
10037
10045
10049
10052
10054
10055
10056
10063
10066
10067
10068
10071
10088
10091
10113
10139
10154
10155
10160
10164
10165
10175
10176
10183
10186
10191
10194
10197
10235
10318
10455
10481
10796
10838
10968
11003
11260
11426
11427
12021
12177
12271
12322
12479
12874
13114
13367
13432
13825
14522
14778
14989
15105
15180
15290
15525
15557
16532
16586
16852
17055
17379
17451
17492
17506
17511
17573
17574
17577
17583
17584
17586
17593
17596
17597
17598
17603
17608
17633
17672
17676
17816
17839
17844
17849
17850
17854
17857
17858
17861
17862
17864
17866
17868
17870
17871
17873
17877
17962
17964
18023
18028
18033
18034
18157
18158
18168
18175
18295
18298
18302
18305
18306
18310
18313
18318
18329
18330
18331
18334
18373
18401
18403
18566
19106
19118
19262
19397
19621
20001
20115
20214
20676
20825
20940
20959
21461
21508
22047
22085
22318
22566
22773
22927
23201
23504
23559
23561
23563
23570
23578
23579
23582
23584
23700
23714
23716
23908
23990
24082
24427
24560
24863
25408
26472
27064
27274
27699
27747
27774
28573
29895
30175
30679
31250
33139
33287
33490
33491
33650
33651
33652
33657
33660
33662
33668
33763
35228
36877
37925
38008
38088
38089
38091
38092
38093
38095
38096
38097
38098
38100
38101
38103
38104
38105
38108
38109
38110
38111
38112
38113
38114
38115
38116
38118
38120
38121
38125
38127
38132
38133
38134
38387
38388
38390
38391
38392
38393
38394
38396
38397
38398
38399
38400
38402
38404
38405
38406
38407
38408
38409
38410
38413
38414
38415
38418
38420
38426
38430
38435
38548
38660
38661
38666
38669
38673
38679
38680
38684
38685
38701
40029
42165
42298
42367
44038
45361
45365
45374
45377
45383
45385
46196
46262
47395
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKUzTcluRbRini9tgRAn3PAKCALTfR+DzY44WP5VwfQ3aMpproXACeJaq6
lD0e/w64OMiSIFcm7pu8mBU=
=oSVY
-----END PGP SIGNATURE-----