[nsp-sec] udp/53 floods from AS20773, c&c?

Dirk Stander dst+nsp-sec at glaskugel.org
Wed Jul 15 07:29:14 EDT 2009 

.: Dirk Stander (Wed, Jul 15, 2009 at 10:47:56AM +0200)
> we are indeed noticing the packet love :/   peak traffic 1.2M pps.
> We are filtering and investigating -- and I'll try to get in contact
> with the guys responsible for the supposed C2 (217.79.190.39)

Hi,

after kicking the supposed C&C the situation is getting worse.
The attack pattern has changed (DNS requests targeting 74.208.3.8 53/UDP)
and we are now seeing a traffic of ~5M pps.

The packets look like this:

11:23:19.415453 IP 93.190.138.117.35448 > 74.208.3.8.53: [|domain]
        0x0000:  4500 001d 0000 4000 3711 0dc5 5dbe 8a75  E..... at .7...]..u
        0x0010:  4ad0 0308 8a78 0035 0009 3f23 0000 0000  J....x.5..?#....
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:23:19.415455 IP 93.190.138.117.35448 > 74.208.3.8.53: [|domain]
        0x0000:  4500 001d 0000 4000 3711 0dc5 5dbe 8a75  E..... at .7...]..u
        0x0010:  4ad0 0308 8a78 0035 0009 3f23 0000 0000  J....x.5..?#....
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:23:19.415460 IP 93.190.138.117.35448 > 74.208.3.8.53: [|domain]
        0x0000:  4500 001d 0000 4000 3711 0dc5 5dbe 8a75  E..... at .7...]..u
        0x0010:  4ad0 0308 8a78 0035 0009 3f23 0000 0000  J....x.5..?#....
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

Some of the busiests source IPs:
11419   | 200.229.199.72   | BR | Telefonica Empresas SA
15435   | 93.190.138.117   | NL | KABELFOON CAIW Autonomous System
4134    | 220.173.60.156   | CN | CHINANET-BACKBONE No.31,Jin-rong Street
30496   | 67.222.134.120   | US | COLO4 - Colo4Dallas LP
4755    | 121.241.241.245  | IN | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP
7393    | 65.175.110.40    | US | CYBERCON - CYBERCON, INC.
10297   | 173.45.69.162    | US | COLUMBUSNAP - The Columbus Network Access Point, Inc.
40871   | 208.90.224.20    | US | MYSERVERZONE - My ServerZone LLC
12322   | 88.191.12.102    | FR | PROXAD AS for Proxad/Free ISP
4837    | 119.113.0.7      | CN | CHINA169-BACKBONE CNCGROUP China169 Backbone
4230    | 201.30.212.11    | BR | Embratel
16814   | 200.69.217.177   | AR | NSS S.A.
9269    | 61.239.249.180   | HK | CTIHK-AS-AP City Telecom (H.K.) Ltd.
7796    | 216.240.145.40   | US | ATMLINK - ATMLINK, INC.
1680    | 212.143.230.27   | IL | NetVision Ltd.

Any information about the (new?) C&C would be very appreciated!

    Kind regards, Dirk Stander (1&1) :.

More information about the nsp-security mailing list