[nsp-sec] Numerous 1 Gbps DDOS attacks
Chisholm, Glenn L
Glenn.L.Chisholm at team.telstra.com
Tue Sep 29 20:38:15 EDT 2009
Interesting. We have also experienced a very similar attack, source AS's 4134/4837/4538.
TCP 650 byte SYN 1Gbps against a unused address.
Glenn Chisholm
General Manager, Network Security
This communication may contain CONFIDENTIAL information of Telstra Corporation Limited (ABN 33 051 775 556). It may also be the subject of LEGAL PROFESSIONAL PRIVILEGE and/or under copyright. If you are not an intended recipient, you MUST NOT keep, forward, copy, use, save or rely on this communication, and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Bruce Morgan
Sent: Tuesday, 22 September 2009 11:39 AM
To: NSP-SEC Mailing List
Subject: [nsp-sec] Numerous 1 Gbps DDOS attacks
----------- nsp-security Confidential --------
Hi All,
We've seen a number of > 1 Gbps DDOS attacks against even non-existent hosts
in our network the past two weeks with the bulk of the traffic coming from
AS4134 (China Telecom). The first attack was over a month ago, but the last
two weeks has seen activity every couple of days.
The times of the attacks were (UTC):
Saturday 2009 Aug 11 16:40 200kpps, 1 Gbps, TCP 450 byte SYN across all
ports (random) against 202.9.0.11
Saturday 2009 Sep 11 14:50 200kpps, 1 Gbps, TCP 650 byte SYN across all
ports (random) against 202.9.0.115
Sunday 2009 Sep 13 09:02 200 kpps, 1 Gbps, TCP 650 byte SYN across all
ports (random) against 202.6.112.245
Thursday 2009 Sep 17 09:00 30 kpps 600 mbps, TCP 650 byte SYN across all
ports (random) against 202.9.0.57
Monday 2009 Sep 21 13:45 240 pps, 1 Gbps, TCP 450 and TCP 650 SYN across all
ports (random) against 202.12.92.36
from several million ips in various address blocks in AS4134 eg
124.133.24.0/24, 218.5.203.0/24, 211.90.11.0/24 211.90.11.0/24 etc (spoofed
hosts)
Anyone seeing anything that may help track this down? Anyway of identifying
the C&C?
Regards
Bruce
--
street address: AARNet, POD 3, 20 Dick Perry Ave, Kensington, WA 6151,
Australia
m. 0408 882 390 t. +61 8 9289 2212 e. bruce.morgan at aarnet.edu.au
w. www.aarnet.edu.au
important
This email and any files transmitted with it are confidential, and the
rights of confidentiality in such information are not waived or lost by its
mistaken delivery to you. Any dissemination, copying, use or disclosure of
the email and/or such files without the permission of AARNet, or the sender,
is strictly prohibited. If you have received this email in error, please
contact the sender immediately and delete all copies of this transmission.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 821 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090930/daa119b9/attachment-0001.sig>
More information about the nsp-security
mailing list