[nsp-sec] 9.5+ Gbps of love - any assistance appreciated

Greg Schwimer gschwimer at godaddy.com
Sat Nov 7 15:46:49 EST 2009 

You should be seeing active flows right now. My ops guys jumped the  
gun and shifted back to you. We're seeing 9+ Gbps at the moment.

- Greg

On Nov 7, 2009, at 1:07 PM, "Smith, Donald" <Donald.Smith at qwest.com>  
wrote:

> Ok let me check yesterdays flows and see what I can see.
> Todays netflow didn't have a hint of it in there.
> If it is traversing out link and going to a customer port we may be  
> able to do something for you. Did Godaddy call the noc for  
> assistence or is this your first attempt to reach out to qwest?
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
> ________________________________
> From: Greg Schwimer [gschwimer at godaddy.com]
> Sent: Saturday, November 07, 2009 12:59 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] 9.5+ Gbps of love - any assistance appreciated
>
> The have diverted traffic away from you at this time.  The flows  
> were hitting us directly through your network until that time.  It  
> congested one of our 10G links with you.  You're probably not seeing  
> any longer.
>
> Greg Schwimer
> GoDaddy.com
> gschwimer at godaddy.com
> tel. 480-366-3636
>
> === 
> === 
> === 
> === 
> ======================================================================
> Please contact my supervisor at wthayer at godaddy.com with any feedback.
> === 
> === 
> === 
> === 
> ======================================================================
>
> -------- Original Message --------
> Subject: RE: [nsp-sec] 9.5+ Gbps of love - any assistance appreciated
> From: "Smith, Donald" <Donald.Smith at qwest.com>
> Date: Sat, November 07, 2009 12:43 pm
> To: Greg Schwimer <gschwimer at godaddy.com>,
> "nsp-security at puck.nether.net" <nsp-security at puck.nether.net>
>
> Greg, when I look at that IP, I see it going out one of our borders  
> towards a peer (as6453), not a customer edge so I am wondering why  
> you think we are impacted?
>
>
>> traceroute 72.167.232.69
> traceroute to 72.167.232.69 (72.167.232.69), 64 hops max, 40 byte  
> packets
> 1 min-core-02.inet.qwest.net (205.171.128.194) 0.327 ms 0.266 ms  
> 0.228 ms
> 2 chp-brdr-03.inet.qwest.net (67.14.8.194) 10.371 ms 10.460 ms  
> 10.456 ms
> 3 63.146.26.250 (63.146.26.250) 12.959 ms 17.334 ms 17.825 ms
> 4 Vlan1270.icore1.SQN-SanJose.as6453.net (206.82.141.22) 67.684 ms  
> 55.153 ms
> 55.284 ms
> 5 ix-5-0.icore1.SQN-SanJose.as6453.net (209.58.116.6) 61.815 ms  
> 61.893 ms 6
> 2.034 ms
> 6 172.16.5.1 (172.16.5.1) 61.677 ms 61.589 ms 61.410 ms
> 7 209.200.184.34 (209.200.184.34) 61.789 ms 62.128 ms 62.365 ms
> 8 209.200.186.74 (209.200.186.74) 66.361 ms 67.120 ms 66.430 ms
> 9 ip-208-109-112-202.ip.secureserver.net (208.109.112.202) 66.421 ms  
> 66.402
> ms 66.424 ms
> 10 ip-216-69-188-85.ip.secureserver.net (216.69.188.85) 66.669 ms  
> 66.474 ms
> 66.672 ms
> 11 ip-208-109-112-1.ip.secureserver.net (208.109.112.1) 66.654 ms  
> 66.549 ms
> 66.331 ms
> 12 *
> ip-208-109-112-1.ip.secureserver.net (208.109.112.1) 66.401 ms !X *
> 13 *
> ip-208-109-112-1.ip.secureserver.net (208.109.112.1) 66.333 ms !X *
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
> ________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security- 
> bounces at puck.nether.net] On Behalf Of Greg Schwimer  
> [gschwimer at godaddy.com]
> Sent: Saturday, November 07, 2009 10:31 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] 9.5+ Gbps of love - any assistance appreciated
>
> ----------- nsp-security Confidential --------
>
> Qwest - I believe this has impacted you guys as well.
>
>
> It's been on and off for the last few days. I don't have a list of IPs
> for this most recent occurrence yet but if anyone sees anything that  
> is
> helpful I'd be very appreciative.
>
> Victim: 72.167.232.69
>
> History:
>
> The last attack data showed the source was primarily from AS4134. I'm
> not sure this is the case this time but wouldn't be surprised. I'll
> post source data as soon as I get it.
>
>
>
> Greg Schwimer
> GoDaddy.com
> gschwimer at godaddy.com
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________
>
>
> ________________________________
> This communication is the property of Qwest and may contain  
> confidential or
> privileged information. Unauthorized use of this communication is  
> strictly
> prohibited and may be unlawful. If you have received this  
> communication
> in error, please immediately notify the sender by reply e-mail and  
> destroy
> all copies of the communication and any attachments.
>
> ________________________________
> This communication is the property of Qwest and may contain  
> confidential or
> privileged information. Unauthorized use of this communication is  
> strictly
> prohibited and may be unlawful. If you have received this  
> communication
> in error, please immediately notify the sender by reply e-mail and  
> destroy
> all copies of the communication and any attachments.

More information about the nsp-security mailing list