[nsp-sec] Numerous 1 Gbps DDOS attacks
Bruce Morgan
Bruce.Morgan at aarnet.edu.au
Mon Sep 21 21:38:49 EDT 2009
Hi All,
We've seen a number of > 1 Gbps DDOS attacks against even non-existent hosts
in our network the past two weeks with the bulk of the traffic coming from
AS4134 (China Telecom). The first attack was over a month ago, but the last
two weeks has seen activity every couple of days.
The times of the attacks were (UTC):
Saturday 2009 Aug 11 16:40 200kpps, 1 Gbps, TCP 450 byte SYN across all
ports (random) against 202.9.0.11
Saturday 2009 Sep 11 14:50 200kpps, 1 Gbps, TCP 650 byte SYN across all
ports (random) against 202.9.0.115
Sunday 2009 Sep 13 09:02 200 kpps, 1 Gbps, TCP 650 byte SYN across all
ports (random) against 202.6.112.245
Thursday 2009 Sep 17 09:00 30 kpps 600 mbps, TCP 650 byte SYN across all
ports (random) against 202.9.0.57
Monday 2009 Sep 21 13:45 240 pps, 1 Gbps, TCP 450 and TCP 650 SYN across all
ports (random) against 202.12.92.36
from several million ips in various address blocks in AS4134 eg
124.133.24.0/24, 218.5.203.0/24, 211.90.11.0/24 211.90.11.0/24 etc (spoofed
hosts)
Anyone seeing anything that may help track this down? Anyway of identifying
the C&C?
Regards
Bruce
--
street address: AARNet, POD 3, 20 Dick Perry Ave, Kensington, WA 6151,
Australia
m. 0408 882 390 t. +61 8 9289 2212 e. bruce.morgan at aarnet.edu.au
w. www.aarnet.edu.au
important
This email and any files transmitted with it are confidential, and the
rights of confidentiality in such information are not waived or lost by its
mistaken delivery to you. Any dissemination, copying, use or disclosure of
the email and/or such files without the permission of AARNet, or the sender,
is strictly prohibited. If you have received this email in error, please
contact the sender immediately and delete all copies of this transmission.
More information about the nsp-security
mailing list