[nsp-sec] DDoS against the Swedish Police website.

Par Osterberg Medina par.osterberg at sitic.se
Sun Nov 8 16:34:09 EST 2009 

Hi list,

The Swedish Police where attacked the end of last month. The attack
started the 29:th of October and consisted of UDP packets to port 53 and
TCP-SYNs to port 80. The IP that got hit was 147.186.254.52.

I have attached three list with IPs that took part in the attack.

port80 and port53
The IP-addresses (duplicates exists) that send TCP-SYN packets to port
80 and port 53. The time is Swedish time plus 1h 15 minutes, UTC/GMT +2
hour 15 minutes (please don't kill the messenger, instead send him a
link to a perl module that will let him correct the time drift ;)

top_talkers
This are IPs (duplicates exists) that either have send more than 1 Kpps
and/or used 10 Mbps or more so there might be false positives here. The
time is in Swedish time, UTC/GMT +1 hour

I do not suspect that these IPs are spoofed since I have cross
references these list with list from other incidents that took place
close in time and found a lot of matches. Please let me know if you have
 other indications.

The attack is not ongoing, however I appreciate all your help in
notifying the correct organizations so they can have their systems
cleaned. Also _please_ throw any piece of malware that you suspect was
use to coordinate the attack in my direction ;)

Regards

-- 
Pär Österberg Medina
Sitic, GovCERT-SE
https://www.sitic.se/par.osterberg_at_sitic.se.asc
FCFC D74F 5708 D228 32CB  B547 A481 1FB9 DC14 8BBF
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: port53.nsp-sec.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091108/ce379af7/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: port80.nsp-sec.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091108/ce379af7/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: top_talkers.nsp-sec.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091108/ce379af7/attachment-0005.txt>

More information about the nsp-security mailing list