[nsp-sec] UDP based DDoS Attack
Nicholas Ianelli
ni at centergate.net
Tue May 12 15:56:54 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Forgot the targets, sorry bout that:
204.74.108.253
204.74.109.253
199.7.68.253
199.7.69.253
204.74.114.253
204.74.115.253
There was also some overlap with the hosts seen in the TCP SYN attack,
namely:
2 115.137.62.38
2 115.139.2.73
2 115.140.231.50
2 115.86.79.67
2 116.32.224.77
2 116.34.233.151
2 116.39.118.164
2 116.71.30.243
2 119.94.16.97
2 121.159.151.160
2 121.52.155.131
2 122.160.181.98
2 122.161.64.132
2 122.162.201.27
2 122.164.222.177
2 122.169.103.70
2 122.36.195.91
2 122.38.84.158
2 122.42.105.162
2 122.44.158.20
2 123.238.20.82
2 123.238.71.232
2 124.124.57.136
2 124.125.39.126
2 124.51.5.109
2 124.60.17.11
2 125.178.118.21
2 125.91.242.157
2 189.21.103.26
2 189.91.132.43
2 201.46.43.30
2 202.61.54.110
2 203.153.39.18
2 218.28.11.92
2 220.178.76.218
2 220.227.236.68
2 221.132.118.34
2 221.132.118.5
2 58.114.225.198
2 58.148.62.214
2 59.165.87.169
2 60.209.78.236
Nick
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> Team,
>
> We experienced a two prong DDoS attack earlier this morning. Below are
> the hosts that were seen sending UDP based packets (~360Mbps -
> destination ports 0-5120/UDP but not port 53/UDP) to the target. I do
> not have exact timestamps for the below hosts nor am I certain these
> were not spoofed - they were seen sending packets during the following
> window:
>
> 1134-1207 GMT
>
> Host participating in this portion of the attack can be retrieved from
> the following URL or from below my signature line.
>
> https://asn.cymru.com/nsp-sec/upload/1242154656.whois.txt
>
> Any help in coordinating and tracking down the Command and Control (C2)
> would be greatly appreciated.
>
> Cheers,
> Nick
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkoJ1IYACgkQi10dJIBjZIBnsQCfYtgSQ3whevVzV0+kkS6wHi2c
KjcAnAs5r5xVKv+7iwFa3/dsoqPdw5rT
=KMd6
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list