[nsp-sec] ACK AS852 - RE: Multiple DDoS attacks
Chris Calvert
Chris.Calvert at telus.com
Tue Jul 7 14:23:44 EDT 2009
(late)ACK for AS852.
Chris
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Tim Wilde
> Sent: Monday, July 06, 2009 3:56 PM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Multiple DDoS attacks
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 7/6/2009 3:43 PM, Matthew.Swaar at us-cert.gov wrote:
> > Fun weekend... Several customers of mine are getting some packet love
> > that began on 4 July and is ongoing. I'm still pulling traffic to
> > isolate attack vectors, but one that we've already confirmed is TCP/UDP
> > 80.
> >
> > The UDP-80 traffic appears to be a pseudo-random byte size. The TCP-80
> > traffic appears to be a SYN flood. I have a ton of source Ips, but it's
> > entirely likely that they're being spoofed. (I'll go ahead and build a
> > list anyways, in case they aren't. That will come later.)
>
> Folks,
>
> Posting a source IP list for the UDP/80 side of this DDoS attack on
> behalf of Matt. You can find the full list (1.6MB ASN sorted) here:
>
> https://www.cymru.com/nsp-sec/Owned/swaar-udpdos-2009-07-06.txt
More information about the nsp-security
mailing list