[nsp-sec] Multiple DDoS attacks
Chris Morrow
morrowc at ops-netman.net
Tue Jul 7 10:19:05 EDT 2009
On Tue, 7 Jul 2009, Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
>> ----------- nsp-security Confidential --------
>>
>> www.dot.gov - 204.68.195.29
>> www.treas.gov - 63.236.117.81
>> www.ftc.gov - 164.62.4.30
>> evisaforms.state.gov - 169.253.2.16
>>
> Digging into the flows for the one host I've got data for yielded a bit of
> extra intel:
>
> 1) Confirm 80/udp + 80/tcp + icmp outbound to two of these targets
> 2) We also have Ack flags outbound
> 3) A number of Akamai nodes were also getting the 80/udp love.
seems that dot.gov is akamai'd so that is probably why you see other
akamai hosts catching heat :(
> 4) The following other hosts were also getting the 80/udp love:
>
> 209 | 66.77.70.101 | ASN-QWEST - Qwest Communications Corporation
www.treas.gov resolvs to this and the 63.236 addr...
$ host www.treas.gov
www.treas.gov is an alias for treas.tpaq.treasury.gov.
treas.tpaq.treasury.gov has address 63.236.117.81
treas.tpaq.treasury.gov has address 66.77.70.101
> 14778 | 76.13.115.89 | INKTOMI-LAWSON - Inktomi Corporation
> 14779 | 216.252.106.49 | INKTOMI-LAWSON - Inktomi Corporation
inktomi == yahoo (finance in this case)
> 3147 | 170.135.216.181 | FIRSTBANK - FIRSTBANK
firstbank == 'usbank' actually, and they have ~80 ptr records for this
ip... (hurray for phishing your own customers:()
> 7105 | 205.203.139.53 | DOWJONES-AS - Dow Jones & Company, Inc.
> 14495 | 206.200.251.71 | NASDAQTRM - The Nasdaq Stock Market
nasdaq mobile?
> 34010 | 87.248.113.14 | YAHOO-IRD Yahoo! Europe, Dublin, IE
-chris
More information about the nsp-security
mailing list