[nsp-sec] Multiple DDoS attacks

Tue Jul 7 08:45:14 EDT 2009

Hi,

On Jul 7, 2009, at 13:43 , Tim Wilde wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
>> The UDP-80 traffic appears to be a pseudo-random byte size.  The  
>> TCP-80
>> traffic appears to be a SYN flood.  I have a ton of source Ips, but  
>> it's
>> entirely likely that they're being spoofed.  (I'll go ahead and  
>> build a
>> list anyways, in case they aren't.  That will come later.)
>
> Good morning teams,
>
> We have processed an attacker list on the TCP/80 SYN flood vector from
> Matt.  This list of IPs each generated at least 10k packets on
> 2009-07-06 to some or all of the following victims:
>
> www.dot.gov - 204.68.195.29
> www.treas.gov - 63.236.117.81
> www.ftc.gov - 164.62.4.30
> evisaforms.state.gov -  169.253.2.16
>
> Packets were TCP/80 with SYN set, PSH not set.  False positives are
> possible, but believed not to be common/likely.  The list of ASNs with
> data in the file is included below my signature again, and the full  
> list
> is available here:

Digging into the flows for the one host I've got data for yielded a  
bit of extra intel:

1)  Confirm 80/udp + 80/tcp + icmp outbound to two of these targets
2)  We also have Ack flags outbound
3)  A number of Akamai nodes were also getting the 80/udp love.
4)  The following other hosts were also getting the 80/udp love:

209     | 66.77.70.101     | ASN-QWEST - Qwest Communications  
Corporation
14778   | 76.13.115.89     | INKTOMI-LAWSON - Inktomi Corporation
14779   | 216.252.106.49   | INKTOMI-LAWSON - Inktomi Corporation
3147    | 170.135.216.181  | FIRSTBANK - FIRSTBANK
7105    | 205.203.139.53   | DOWJONES-AS - Dow Jones & Company, Inc.
14495   | 206.200.251.71   | NASDAQTRM - The Nasdaq Stock Market
34010   | 87.248.113.14    | YAHOO-IRD Yahoo! Europe, Dublin, IE

Hope this helps.

Scott A. McIntyre
XS4ALL Internet B.V.