[nsp-sec] Potential Wikileaks related DDoS traffic

Dave Burke dave at amazon.com
Fri Dec 10 10:17:57 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We (www.amazon.com) got hit yesterday afternoon.
About 100Mb/s being blocked. It was all coming from LOIC. Junk traffic
dumped against port 80 & port 443. The port 443 was plaintext as well.

Some of the pkts captured were..

5 00 00 3a d5 27 40 00 7b 06 84 f4 5e dc 3c af E..:.'@.{...^.<.
48 15 c2 01 8f 75 00 50 22 cd c9 20 a9 f9 62 5c H....u.P".. ..b\
50 18 32 40 73 e6 00 00 73 61 72 61 68 20 66 6f P.2 at s...sarah fo
72 20 74 65 68 20 6c 75 6c 7a                   r teh lulz

45 00 01 4a 00 00 40 00 2b 06 27 dc 48 15 c2 f7 E..J.. at .+.'.H...
48 15 d3 b0 60 85 01 bb 00 00 00 00 00 00 00 00 H...`...........
50 1e ff ff 1b 88 00 00 78 53 20 6c 69 6b 65 73 P.......xS likes
20 74 6f 20 6c 69 76 65 20 69 6e 20 79 6f 75 72  to live in your
20 6c 6f 67 73 78 53 20 6c 69 6b 65 73 20 74 6f  logsxS likes to
20 6c 69 76 65 20 69 6e 20 79 6f 75 72 20 6c 6f  live in your lo
67 73 78 53 20 6c 69 6b 65 73 20 74 6f 20 6c 69 gsxS likes to li
76 65 20 69 6e 20 79 6f 75 72 20 6c 6f 67 73 78 ve in your logsx
53 20 6c 69 6b 65 73 20 74 6f 20 6c 69 76 65 20 S likes to live
69 6e 20 79 6f 75 72 20 6c 6f 67 73 78 53 20 6c in your logsxS l
69 6b 65 73 20 74 6f 20 6c 69 76 65 20 69 6e 20 ikes to live in
79 6f 75 72 20 6c 6f 67 73 78 53 20 6c 69 6b 65 your logsxS like
73 20 74 6f 20 6c 69 76 65 20 69 6e 20 79 6f 75 s to live in you
72 20 6c 6f 67 73 78 53 20 6c 69 6b 65 73 20 74 r logsxS likes t
6f 20 6c 69 76 65 20 69 6e 20 79 6f 75 72 20 6c o live in your l
6f 67 73 78 53 20 6c 69 6b 65 73 20 74 6f 20 6c ogsxS likes to l
69 76 65 20 69 6e 20 79 6f 75 72 20 6c 6f 67 73 ive in your logs
78 53 20 6c 69 6b 65 73 20 74 6f 20 6c 69 76 65 xS likes to live
20 69 6e 20 79 6f 75 72 20 6c 6f 67 73 78 53 20  in your logsxS
6c 69 6b 65 73 20 74 6f 20 6c 69 76 65 20 69 6e likes to live in
20 79 6f 75 72 20 6c 6f 67 73                    your logs


We saw some background ICMP floods but nothing too major.
It was about about 21,000 unique source IPs. But I was seeing spoofed
packets coming in, using our VIP IP /24 as the src IPs.

dave

On 10/12/2010 15:04, Jan Boogman wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Daniel
> 
> we got our fair share of the attack against postfinance.ch last tuesday.
> 
> Some numbers:
> attack volume about 150Mbps / 300kpps peak during 16 hours
> 
> 95% of the attack entered our network in the US 
> 
> about 90% of the traffic was sourced by these (probably spoofed) 5 src IPs:
> 
> 72.9.153.142/32 
> 128.138.6.213/32 
> 109.169.67.110/32 
> 81.169.145.25/32 
> 213.114.73.229/32
> 
> Cheers
> Jan
> Swisscom
> 
> Am 09.12.2010 um 20:55 schrieb Daniel Schwalbe:
> 
>> ----------- nsp-security Confidential --------
>>
>>
>> Does anybody have a read on which IPs or ASs are being targeted for the reportedly ongoing DDoS related to Wikileaks?
>>
>> Any idea about real numbers of volume of traffic involved, or is it just the media blowing things out of proportion again?
>>
>> Thanks!
>> 	-Daniel
>>
>> --
>> Daniel Schwalbe, CISSP, CISM, CIPP
>> Assistant Director of Security Services
>> Office of the CISO
>> University of Washington
>> Phone +1(206) 685-8210 | Email dfs at uw.edu
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0CRKUACgkQvMJ1IGjTxcExBQCdH2ka16vw+ayyC8n4mqx5N7vW
ORAAn2loE/xspjOoFA0SFORTlBigFbHo
=0v2f
-----END PGP SIGNATURE-----



Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list