[nsp-sec] Potential Wikileaks related DDoS traffic

[Tim Wilde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/9/2010 2:55 PM, Daniel Schwalbe wrote:
> ----------- nsp-security Confidential --------
> 
> 
> Does anybody have a read on which IPs or ASs are being targeted for the
> reportedly ongoing DDoS related to Wikileaks?
> 
> Any idea about real numbers of volume of traffic involved, or is it just
> the media blowing things out of proportion again?

Daniel,

Current targets we've seen are api.paypal.com TCP/443 and www.paypal.com
TCP/443.  They appear to live in AS17012 and AS11643 (PayPal and eBay).
 I don't have numbers on the volume of traffic, but my understanding is
that it's just a large volume of HTTPS GET requests, and may be
differentiable from "real" traffic based on its headers (or lack thereof
- - I haven't analyzed it in detail myself).

FWIW, Team Cymru has analyzed and included in the DDoS-RS most of the
IPs that we are aware of coordinating this attack, as we consider them
to be blockable C&Cs; regardless of the end-user's intent, these attacks
are illegal and contrary to the health of the Internet.  Those IPs we
haven't listed are not listed only because we haven't been able to
positively confirm that they are active C&Cs at this time (IMO likely
because they're overloaded from the others being at least partially
offline, but until we can positively confirm, we won't list, per our
policies).

For more information on the DDoS-RS project, pleas visit:

	https://www.cymru.com/nsp-sec/DDoS-RS/

And as always, please remember, this project is for NSP-SEC
consumption/discussion only, please do not discuss it outside of this
community.

Best regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk0BO/MACgkQluRbRini9tgYLwCdH0ybTysyw1oozIA90u1YxYSn
2X8AoIJZeP94edpgYHPQyCo+FvceVpD2
=KhBt
-----END PGP SIGNATURE-----