[nsp-sec] Got traffic? - DDoS
John Fraizer
john at op-sec.us
Thu Jul 16 11:48:20 EDT 2009
Over the past 30 mins:
nfdump filter:
host in [156.154.100.3 156.154.101.3 156.154.102.3 156.154.103.3]
Top 500 IP Addr ordered by flows:
Date first seen Duration Proto IP Addr Flows
Packets Bytes pps bps bpp
2009-07-16 14:59:30.928 2111.256 any 156.154.101.3 280
284 37114 0 140 130
2009-07-16 14:57:54.940 2202.136 any 156.154.102.3 253
256 31720 0 115 123
2009-07-16 14:58:09.948 2156.384 any 156.154.103.3 241
243 29469 0 109 121
2009-07-16 14:59:25.996 2101.540 any 156.154.100.3 214
216 25891 0 98 119
2009-07-16 14:58:47.600 2139.936 any 216.199.54.x 120
120 16345 0 61 136
2009-07-16 15:00:31.592 2004.224 any 70.43.63.22x 64
64 8693 0 34 135
2009-07-16 14:59:30.928 2081.552 any 216.23.111.1x 61
61 7693 0 29 126
2009-07-16 15:00:44.240 1876.716 any 70.43.63.22x 57
57 6451 0 27 113
2009-07-16 14:59:57.036 2056.368 any 70.43.63.22x 56
56 6905 0 26 123
2009-07-16 14:59:48.156 2017.944 any 70.43.63.22x 54
54 6772 0 26 125
2009-07-16 14:59:51.436 2083.748 any 66.240.67.23x 52
52 7601 0 29 146
2009-07-16 14:59:57.312 2059.060 any 66.147.19.1x 51
54 5271 0 20 97
2009-07-16 14:59:50.108 1924.008 any 216.199.46.1x 48
48 6755 0 28 140
2009-07-16 14:58:43.748 1880.340 any 209.177.210.12x 36
44 4366 0 18 99
2009-07-16 15:00:09.860 2003.616 any 216.199.0.13x 29
29 3713 0 14 128
2009-07-16 14:59:51.272 1918.004 any 70.43.63.10x 25
25 3218 0 13 128
2009-07-16 14:57:54.940 2063.616 any 70.43.63.9x 24
24 2953 0 11 123
2009-07-16 15:03:40.240 1667.028 any 70.43.63.9x 22
22 2588 0 12 117
2009-07-16 15:00:22.072 1844.452 any 70.43.63.9x 15
15 2198 0 9 146
2009-07-16 15:00:01.600 1917.544 any 74.223.88.23x 12
12 1235 0 5 102
2009-07-16 15:05:44.612 1476.280 any 70.43.30.12x 12
12 1115 0 6 92
2009-07-16 15:01:39.032 70.152 any 69.38.26.15x 9
9 871 0 99 96
2009-07-16 14:59:51.904 877.108 any 70.43.162.19x 8
8 1033 0 9 129
2009-07-16 14:59:57.816 1951.560 any 65.97.154.3x 7
7 985 0 4 140
2009-07-16 15:01:08.884 1866.852 any 216.54.168.6x 7
7 1077 0 4 153
2009-07-16 15:23:17.200 343.440 any 65.23.34.9x 7
7 653 0 15 93
2009-07-16 15:07:56.388 1417.812 any 75.77.140.20x 6
6 699 0 3 116
2009-07-16 15:10:13.464 541.968 any 66.148.156.16x 5
5 412 0 6 82
2009-07-16 15:01:15.852 1085.868 any 174.141.8.15x 5
5 464 0 3 92
2009-07-16 15:03:27.968 1332.924 any 70.46.31.10x 5
5 551 0 3 110
2009-07-16 15:22:10.336 415.888 any 74.223.40.17x 4
4 470 0 9 117
2009-07-16 15:06:25.828 1600.196 any 74.223.184.25x 4
4 367 0 1 91
2009-07-16 15:09:37.324 1436.776 any 70.43.63.2x 4
4 651 0 3 162
2009-07-16 15:14:37.364 509.448 any 64.19.2.22x 4
4 333 0 5 83
2009-07-16 15:04:35.820 1514.620 any 216.199.46.1x 4
4 579 0 3 144
2009-07-16 15:09:21.128 112.084 any 64.19.58.8x 4
4 404 0 28 101
2009-07-16 15:07:39.244 1277.788 any 70.46.90.14x 4
4 453 0 2 113
2009-07-16 15:16:58.092 171.844 any 216.199.81.19x 4
4 575 0 26 143
2009-07-16 15:04:08.128 1539.084 any 216.199.127.6x 3
3 456 0 2 152
2009-07-16 15:24:37.188 418.488 any 216.215.144.4x 3
3 591 0 11 197
2009-07-16 15:03:52.732 1614.108 any 216.215.215.19x 3
3 243 0 1 81
2009-07-16 15:20:46.440 212.544 any 192.168.0.x 3
3 175 0 6 58
2009-07-16 15:15:54.504 981.740 any 198.136.38.x 3
3 252 0 2 84
2009-07-16 15:20:36.348 44.296 any 174.141.40.7x 3
3 418 0 75 139
2009-07-16 15:00:33.948 1319.940 any 66.147.47.15x 3
3 387 0 2 129
2009-07-16 15:14:39.990 1197.086 any 216.199.46.10x 3
3 292 0 1 97
2009-07-16 15:32:02.012 5.076 any 66.83.86.x 2
2 1152 0 1815 576
2009-07-16 15:07:16.964 884.172 any 70.46.235.17x 2
2 338 0 3 169
2009-07-16 15:03:08.964 1876.320 any 66.64.141.24x 2
2 175 0 0 87
2009-07-16 15:09:35.316 526.794 any 74.223.63.14x 2
2 232 0 3 116
2009-07-16 15:32:18.189 13.602 any 72.17.156.3x 2
2 138 0 81 69
2009-07-16 14:59:51.500 938.108 any 68.143.84.1x 2
2 161 0 1 80
2009-07-16 15:03:44.896 1438.384 any 68.143.99.16x 2
2 248 0 1 124
2009-07-16 15:06:29.932 393.056 any 74.223.151.x 2
2 177 0 3 88
2009-07-16 15:10:30.260 703.192 any 68.143.171.1x 2
2 154 0 1 77
2009-07-16 15:09:36.312 1214.448 any 66.83.201.2x 2
2 210 0 1 105
2009-07-16 15:03:54.704 0.208 any 68.143.242.21x 2
2 297 9 11423 148
2009-07-16 15:08:52.720 2.796 any 66.83.220.14x 2
2 425 0 1216 212
2009-07-16 15:03:42.544 184.728 any 72.17.216.10x 2
2 248 0 10 124
2009-07-16 15:15:31.976 605.484 any 209.248.130.17x 2
2 131 0 1 65
2009-07-16 15:20:18.496 253.428 any 66.49.75.5x 2
2 310 0 9 155
2009-07-16 15:22:12.176 251.132 any 209.248.143.8x 2
2 335 0 10 167
2009-07-16 15:01:15.256 1477.080 any 64.90.25.12x 2
2 291 0 1 145
2009-07-16 15:09:09.984 6.748 any 66.240.103.5x 2
2 321 0 380 160
2009-07-16 15:20:53.192 549.204 any 70.43.63.1x 2
2 316 0 4 158
2009-07-16 15:23:57.676 372.772 any 205.167.158.1x 2
2 168 0 3 84
2009-07-16 15:07:13.072 1557.764 any 64.16.188.10x 2
2 268 0 1 134
2009-07-16 15:12:52.948 536.520 any 70.46.105.9x 2
2 245 0 3 122
2009-07-16 15:30:48.720 1.744 any 174.141.8.22x 2
2 240 1 1100 120
2009-07-16 15:07:14.612 1534.712 any 174.141.11.14x 2
2 261 0 1 130
2009-07-16 15:10:04.604 0.040 any 75.77.48.10x 2
2 240 49 47999 120
2009-07-16 15:02:22.144 1222.840 any 65.97.128.17x 2
2 132 0 0 66
2009-07-16 15:13:52.820 785.516 any 216.199.54.1x 2
2 278 0 2 139
2009-07-16 15:03:30.968 0.000 any 198.136.41.6x 1
1 141 0 0 141
2009-07-16 15:22:47.192 0.000 any 68.143.16.23x 1
1 132 0 0 132
2009-07-16 15:25:57.820 0.000 any 66.148.131.x 1
1 110 0 0 110
2009-07-16 15:33:20.624 0.000 any 216.199.254.8x 1
1 141 0 0 141
2009-07-16 15:04:13.208 0.000 any 216.215.236.10x 1
1 162 0 0 162
2009-07-16 15:02:45.740 0.000 any 216.199.232.11x 1
1 155 0 0 155
2009-07-16 15:29:39.928 0.000 any 66.49.60.5x 1
1 128 0 0 128
2009-07-16 15:29:57.640 0.000 any 209.177.201.6x 1
1 121 0 0 121
2009-07-16 15:06:38.380 0.000 any 216.199.209.x 1
1 79 0 0 79
2009-07-16 14:59:39.444 0.000 any 70.46.186.4x 1
1 64 0 0 64
2009-07-16 14:58:09.948 0.000 any 66.83.172.2x 1
1 66 0 0 66
2009-07-16 15:05:19.156 0.000 any 70.43.198.1x 1
1 64 0 0 64
2009-07-16 15:29:04.732 0.000 any 66.83.167.24x 1
1 103 0 0 103
2009-07-16 15:00:03.328 0.000 any 216.199.71.25x 1
1 70 0 0 70
2009-07-16 15:05:46.328 0.000 any 66.83.143.7x 1
1 115 0 0 115
2009-07-16 15:28:06.028 0.000 any 66.83.110.15x 1
1 74 0 0 74
2009-07-16 15:04:30.758 0.000 any 216.23.125.3x 1
1 72 0 0 72
2009-07-16 15:03:21.968 0.000 any 158.158.239.1x 1
1 75 0 0 75
2009-07-16 15:34:10.812 0.000 any 66.64.216.17x 1
1 64 0 0 64
2009-07-16 15:31:44.696 0.000 any 70.46.40.23x 1
1 70 0 0 70
2009-07-16 15:04:04.772 0.000 any 66.83.78.10x 1
1 114 0 0 114
2009-07-16 15:20:46.091 0.000 any 70.46.29.3x 1
1 77 0 0 77
2009-07-16 15:01:08.252 0.000 any 70.46.235.1x 1
1 139 0 0 139
2009-07-16 15:25:25.504 0.000 any 70.46.235.9x 1
1 131 0 0 131
2009-07-16 15:31:23.268 0.000 any 75.77.127.13x 1
1 104 0 0 104
2009-07-16 15:01:50.072 0.000 any 66.49.109.20x 1
1 222 0 0 222
2009-07-16 15:02:11.065 0.000 any 70.46.171.4x 1
1 114 0 0 114
2009-07-16 15:08:18.296 0.000 any 65.23.25.12x 1
1 63 0 0 63
2009-07-16 15:04:48.996 0.000 any 68.143.168.19x 1
1 217 0 0 217
2009-07-16 15:21:00.304 0.000 any 68.143.161.13x 1
1 103 0 0 103
2009-07-16 15:30:50.520 0.000 any 66.83.179.22x 1
1 137 0 0 137
2009-07-16 15:10:50.360 0.000 any 68.143.74.1x 1
1 179 0 0 179
2009-07-16 15:19:29.116 0.000 any 70.46.40.24x 1
1 215 0 0 215
2009-07-16 15:14:09.028 0.000 any 74.223.65.3x 1
1 153 0 0 153
2009-07-16 15:27:58.988 0.000 any 68.143.6.7x 1
1 117 0 0 117
2009-07-16 15:34:42.184 0.000 any 66.64.157.3x 1
1 141 0 0 141
2009-07-16 15:10:02.320 0.000 any 74.223.186.1x 1
1 114 0 0 114
2009-07-16 15:09:15.932 0.000 any 209.177.231.13x 1
1 78 0 0 78
2009-07-16 15:15:27.344 0.000 any 216.116.167.3x 1
1 69 0 0 69
2009-07-16 15:17:40.532 0.000 any 66.148.157.16x 1
1 57 0 0 57
2009-07-16 15:28:37.368 0.000 any 209.177.234.24x 1
1 215 0 0 215
2009-07-16 15:23:12.428 0.000 any 64.19.42.13x 1
1 81 0 0 81
2009-07-16 15:30:36.692 0.000 any 70.46.235.18x 1
1 139 0 0 139
2009-07-16 15:19:25.536 0.000 any 209.50.110.8x 1
1 66 0 0 66
2009-07-16 15:06:16.736 0.000 any 66.49.84.21x 1
1 109 0 0 109
2009-07-16 15:07:52.320 0.000 any 74.223.173.23x 1
1 143 0 0 143
2009-07-16 15:05:02.556 0.000 any 75.77.94.19x 1
1 171 0 0 171
2009-07-16 15:20:56.212 0.000 any 65.23.14.9x 1
1 138 0 0 138
2009-07-16 15:30:49.128 0.000 any 64.16.128.19x 1
1 72 0 0 72
2009-07-16 15:31:34.540 0.000 any 68.143.133.24x 1
1 153 0 0 153
2009-07-16 15:06:12.200 0.000 any 70.46.83.3x 1
1 170 0 0 170
2009-07-16 15:22:36.644 0.000 any 66.64.194.7x 1
1 107 0 0 107
2009-07-16 15:24:19.656 0.000 any 209.248.229.14x 1
1 70 0 0 70
2009-07-16 15:26:17.512 0.000 any 209.248.237.14x 1
1 150 0 0 150
2009-07-16 15:01:31.888 0.000 any 70.43.238.9x 1
1 63 0 0 63
2009-07-16 15:31:16.212 0.000 any 216.215.205.14x 1
1 71 0 0 71
2009-07-16 15:00:27.012 0.000 any 216.199.127.6x 1
1 204 0 0 204
2009-07-16 15:21:39.596 0.000 any 70.43.230.22x 1
1 215 0 0 215
2009-07-16 15:27:45.692 0.000 any 158.158.239.x 1
1 143 0 0 143
2009-07-16 15:27:43.060 0.000 any 66.49.76.3x 1
1 121 0 0 121
2009-07-16 15:27:08.300 0.000 any 74.223.169.14x 1
1 113 0 0 113
2009-07-16 15:22:48.660 0.000 any 74.223.76.8x 1
1 105 0 0 105
2009-07-16 15:05:23.066 0.000 any 216.23.124.x 1
1 67 0 0 67
2009-07-16 15:31:14.968 0.000 any 216.54.168.4x 1
1 197 0 0 197
2009-07-16 15:26:35.084 0.000 any 66.49.105.17x 1
1 62 0 0 62
2009-07-16 15:08:26.120 0.000 any 70.43.71.13x 1
1 78 0 0 78
2009-07-16 15:17:30.196 0.000 any 216.199.178.19x 1
1 153 0 0 153
2009-07-16 15:30:22.936 0.000 any 209.248.209.5x 1
1 131 0 0 131
2009-07-16 15:17:48.528 0.000 any 209.248.236.1x 1
1 74 0 0 74
2009-07-16 15:23:13.768 0.000 any 64.90.19.5x 1
1 133 0 0 133
2009-07-16 15:02:44.600 0.000 any 66.148.209.6x 1
1 125 0 0 125
2009-07-16 15:17:03.856 0.000 any 69.38.102.25x 1
1 55 0 0 55
2009-07-16 15:32:08.444 0.000 any 69.38.103.15x 1
1 118 0 0 118
2009-07-16 15:31:51.724 0.000 any 216.215.144.1x 1
1 150 0 0 150
2009-07-16 15:25:46.628 0.000 any 216.199.0.13x 1
1 76 0 0 76
2009-07-16 15:15:00.820 0.000 any 72.17.217.19x 1
1 134 0 0 134
2009-07-16 15:05:24.652 0.000 any 216.105.145.1x 1
1 76 0 0 76
2009-07-16 15:17:33.572 0.000 any 216.199.232.12x 1
1 169 0 0 169
2009-07-16 15:13:05.488 0.000 any 69.38.115.6x 1
1 74 0 0 74
2009-07-16 15:12:30.088 0.000 any 66.148.131.5x 1
1 60 0 0 60
2009-07-16 15:10:25.324 0.000 any 209.177.232.19x 1
1 139 0 0 139
Summary: total flows: 988, total bytes: 124194, total packets: 999, avg bps:
450, avg pps: 0, avg bpp: 124
Time window: 2009-07-16 14:56:28 - 2009-07-16 16:21:37
On Thu, Jul 16, 2009 at 3:38 PM, Nicholas Ianelli <ni at centergate.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thanks John! Still working on processing the pcaps, but we are
> experiencing a DDoS against a few of our name servers, a large number of
> hosts are making a ton of MX queries for a variety of domains.
>
> What it looks like is a legitimate domain, but they tack on a few extra
> characters to provide some extra load.
>
> This is mainly affecting our Europe locations.
>
> In my last email to the list, I posted the top 25 sources from a quick
> capture.
>
> Looks like the attack is slowly subsiding. I'll post more details shortly.
>
> Nick
>
> John Fraizer wrote:
> > Summary: total flows: 149, total bytes: 18174, total packets: 153, avg
> bps: 415, avg pps: 0, avg bpp: 118
> > Time window: 2009-07-16 15:11:27 - 2009-07-16 16:07:21
> >
> > That is at 1:100 sample rate.
> >
> >
> > It's all UDP destined to port 53 on your end with a tiny bit of ICMP DST
> > UNREACH coming from address space on my network back towards your
> > targets. Leads me to believe that there might be some adjacent-block
> > spoofing going on.
> >
> > John
> >
> > On Thu, Jul 16, 2009 at 2:44 PM, Nicholas Ianelli <ni at centergate.net
> > <mailto:ni at centergate.net>> wrote:
> >
> > ----------- nsp-security Confidential --------
> >
> >
> > Are folks seeing lots of requests destined to any of these IP addresses
> > (UDP based):
> >
> > 156.154.100.3
> > 156.154.101.3
> > 156.154.102.3
> > 156.154.103.3
> >
> > Nick
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net <mailto:nsp-security at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
>
>
>
>
> - --
> Nicholas Ianelli: NeuStar, Inc.
> Security Operations
>
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkpfSWwACgkQi10dJIBjZIDlTwCfVkIjin3ju9JlmB4emO1NIUoI
> g2QAoNFwIE+NwzrVckLw2YPRKfD5uIaH
> =cKmH
> -----END PGP SIGNATURE-----
>
More information about the nsp-security
mailing list