[nsp-sec] DNS DDoS against Softlayer
YoungBaek Kim
ybkim at krcert.or.kr
Fri May 29 07:44:18 EDT 2009
Hello.
We, KrCERT, found a malware at 165.194.192.150.(in the "asninfo-20090520.txt")
It was infected by a Netbot DDoS agent.(TxmethD.dll)
We don't have a evidence that it attacked your servers, but Netbot can launch the UDP fragment attack.(see the attachment)
C&C : 66.as000.org (112.121.163.173)
Windows Services :
* Name : MediaCenter
* DisplayName : MS Media Control Center
* ServiceDll : C:\WINDOWS\system32\TxmethD.dll
http://www.virustotal.com/en/analisis/d13f4c110ad5e5661b465891efffd42258596f4ead4a24a9b9e1e9770fb0b250-1243588637
We will ask major Korea ISPs to block the C&C(66.as000.org) ASAP.
Regards.
=============================================================
Mr. Young-Baek Kim, Ph.D
Senior Researcher / CISSP / CISA
Network Monitoring Team
Korea Internet Security Center, KrCERT/CC
Korea Information Security Agency(KISA)
Tel : +82 2 4055 241 , Fax : +82 2 4055 129
Address : 78, Garak-Dong, Songpa-Gu, Seoul, Korea 138-803
e-mail : ybkim at kisa.or.kr, ybkim at krcert.or.kr
=============================================================
----- Original Message -----
From: "Tom Daly" <tom at dyn-inc.com>
To: "NSP-SEC List" <nsp-security at puck.nether.net>
Sent: Thursday, May 28, 2009 2:50 AM
Subject: Re: [nsp-sec] DNS DDoS against Softlayer
> ----------- nsp-security Confidential --------
>
>
--------------------------------------------------------------------------------
> Teams,
> The sources from the packeting we took last week are attached - anyone know of bots or C&Cs related?
>
> Can folks from Rackspace, SoftLayer, or other please post sources for correlation?
>
> The attack seemed primarily composed of IP packets set to protocol type UDP with an invalid payload. The more-fragments bit was always set. We've also seen non-more-fragments packets with invalid payloads of specific packet lengths, 540 bytes and 1480 bytes.
>
> Here are the filters being used to mitigate:
>
> term DNS-Frag {
> from {
> destination-prefix-list {
> DNSServers;
> }
> fragment-flags more-fragments;
> destination-port domain;
> }
> then {
> count dns-fragment;
> log;
> discard;
> }
> }
> term DNS-BadSize {
> from {
> destination-prefix-list {
> DNSServers;
> }
> packet-length [ 540 1480 ];
> destination-port domain;
> }
> then {
> count dns-badsize;
> log;
> discard;
> }
> }
>
> Regards,
> Tom
>
> --
> Tom Daly
> Dynamic Network Services, Inc.
> P: +1-603-296-1537
> http://dynamicnetworkservices.com/
>
--------------------------------------------------------------------------------
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UDP 1480Byte.JPG
Type: image/jpeg
Size: 85681 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090529/11c9060a/attachment-0001.jpe>
More information about the nsp-security
mailing list