[nsp-sec] DoS attack (9723,24961,31400)

[Mike Tancsa]

A customer FreeBSD box in our colo (64.7.135.32) was spewing out a 
10Mb UDP attack targeted at 82.211.6.150 from 9am to ~12:15pm (GMT -400)

AS      | IP               | AS Name
31400   | 82.211.6.150     | ACCELERATED-IT Accelerated IT Services GmbH

11:47:47.488092 IP 64.7.135.32.55252 > 82.211.6.150.80: UDP, length 1
         0x0000:  4500 001d 2298 0000 4011 37a8 4007 8720  E..."... at .7.@...
         0x0010:  52d3 0696 d7d4 0050 0009 f126 1600 0000  R......P...&....
         0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:47:47.488107 IP 64.7.135.32.64552 > 82.211.6.150.80: UDP, length 1
         0x0000:  4500 001d 2299 0000 4011 37a7 4007 8720  E..."... at .7.@...
         0x0010:  52d3 0696 fc28 0050 0009 53d2 8f00 0000  R....(.P..S.....
         0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:47:47.488118 IP 64.7.135.32.55252 > 82.211.6.150.80: UDP, length 1
         0x0000:  4500 001d 229a 0000 4011 37a6 4007 8720  E..."... at .7.@...


They brute forced an account some time ago and had logged in from (GMT-400,EDT)
AS      | IP               | AS Name
24961   | 217.79.182.58    | FIBREONE-AS fibre one networks GmbH, Duesseldorf

as well as on
Jul 10 11:31:29, Jul 11 01:13:11, Jul 11 03:34:15, Jul 11 07:50:50


As well as from
AS      | IP               | AS Name
9723    | 202.183.124.61   | ISEEK-AS-AP ISEEK Ltd, Jul  7 11:06:59


DoS tool used (FreeBSD 6.x) can be downloaded at 
http://www.tancsa.com/dostool.zip, passswd is GBHpackets

         ---Mike



--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike