[nsp-sec] DoS Earlier Today
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Tue Sep 29 19:05:27 EDT 2009
Heyo, Rob!
Thanks for the information. We're requesting logs (if any) from the
victim site to see if they can shed some light on this. If I get back
something credible, I'll pass it along for situational awareness.
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: Rob Thomas [mailto:robt at cymru.com]
Sent: Tuesday, September 29, 2009 6:19 PM
To: Swaar, Matthew
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DoS Earlier Today
Hey, Matt.
Sorry to hear about the DDoS attack.
> Host 130.14.29.110 was the recipient. The traffic was from a single
> source IP (218.58.75.201, China Unicom AS4837 I think) and didn't
> appear to be spoofed. Traffic was TCP-80 and a 3-way handshake
> appeared to be completed.
It appears that 218.58.75.201 is a Unix box, probably Linux but possibly
FreeBSD. It's also showing up as a Conficker node, so I'm going to
guess it's a proxy/NAT gateway/firewall device.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list